Continuing the topic of my recent blog posts, Government Contractors who store or transmit Covered Defense Information (CDI) are required to comply with the 14 control families of the NIST SP 800-171 by December 2017. The DFARS 252.204-7008 clause dictates the security requirements specified by DFARS 252.204-7012 for Safeguarding Covered Defense Information and Cyber Incident Reporting. The intention of the directive is to ensure the safeguards implemented to protect CDI are consistent across nonfederal information systems as they relate to work contracted by the US government.
While the regulation is not intended to impose a burden by requiring additional systems or incurring additional expenses to acquire government contracts, many contractors will not find this to be the case. Although the 800-171 is derived from FIPS 200 and NIST 800-53; the new control set is intended to remove the overhead of the controls specifically geared toward federal agencies. It was expected that most contractors would only need to implement and update policies to comply. This may be valid for contractors who have a mature security baseline in place that contains components of the recommendations included in FIPS 200 or NIST 800-53, it may not be true for all. Unfortunately, for those that do not this regulation may prove to be a challenging and expensive endeavor.
The requirement that I will be focusing on for this post is the need for safeguarding the confidentiality of data at rest. The NIST 800-171 requires contractors to protect the confidentiality of data at rest by employing FIPS-validated cryptography and manage the cryptographic keys that are used for the chosen cryptography employed in the information system. In general terms, this control requires contractors who have systems which process or store CUI safeguard that data effectively with an encryption solution.
What is data at rest?
Data at rest means data that is not moving through networks. Therefore, this generally refers to data stored in persistent storage such as hard drives on servers, workstations, and laptops. Additionally, media such as tapes, CD’s, USB thumb drives and even smartphones can contain data at rest.
What is encryption?
Encryption is the process when data is converted from its original form (plaintext) into an unrecognizable, or encoded text (cyphertext). After being encrypted, the data is unreadable unless an individual has the necessary key or code to decrypt it back to its plaintext form.
Why full disk encryption?
Full disk encryption (FDE) is a security safeguard that protects all data stored on a hard drive from unauthorized access using encryption. With FDE all data is encrypted by default, taking the security decision out of the hands of the user.
Why is it important?
Theft continues to be one of the major causes of data breaches. Common use cases for implementing FDE are to protect data loss due to lost or stolen laptops, smart phones, hard drives or removable media. If a laptop or smartphone falls into the wrong hands, that individual could potentially cause major damage if he or she had access to the CUI contained on that device. However, if the unauthorized user was unable to read the information on the device; then a data breach related to the loss could potentially be avoided.
There are many different encryption methods available. Keeping this in mind, it is important for defense contractors to review their systems to determine what is the best encryption solution to use. Many operating systems include built-in mechanisms for encryption, such as Microsoft’s Bitlocker, and Macintosh’s File Vault. While these options may work well, they are often difficult to manage in a corporate or enterprise environment. In these instances, it is often best to look to a third-party software solution to ensure you are getting the manageability and features you need.
Consider the following when sourcing a system and planning your deployment:
- Find a solution that is easy to implement and manage to limit the burden on your IT support staff. Systems that utilize centralized administration with automated deployment capabilities can streamline installation and day to day management.
- Attempt to find a solution that is compatible with all the client operating systems in your environment. Having only one solution to manage is a major benefit.
- Carefully plan, test, and pilot the intended solution on a test group of machines and users in your environment before rolling out an FDE solution to the full organization.
- Train your IT staff on the procedures for user management, system recovery in case of failure, and the possible issues related to the encryption process and how to manage them.
- Verify users are restricted from disabling the encryption on their systems or attempt to find ways to verify the full disk encryption has not been disabled.
- Do not allow recovery keys to be stored with the client machines and confirm you have a system in place for key management.
- Ensure staff has a general understanding of the solution being deployed to their systems and the need for why it is important. Staff support and acceptance can be beneficial especially if any issues are encountered during or after the deployment.
While the thought of implementing a solution of this magnitude might be a daunting thought for many IT teams; if managed correctly with proper foresight, it can prove to be a smooth and effective implementation.
Does your organization need assistance choosing and implementing the right solutions to become compliant before the December 2017 DFARS compliance deadline? CyberSheath has the expertise to provide you with leading solutions and provide you with the guidance you need. We have a specialized team of Cybersecurity Professionals with proven industry experience to guide and assist your business in achieving compliance.
Venafi, a product vendor for Internet Security, recently revealed results from a global survey of CIOs that believe security defenses are less effective and that they expect to suffer from an attack. The underlying issue, according to Venafi, is due to the prevalence of unprotected and unmanaged cryptographic keys and digital certificates. CIOs admitted in the survey that they are “spending millions of dollars on layered security defenses,” effectively trusting keys and certificates without being able to differentiate between trusted and compromised keys.
Even more troublesome is Gartner’s prediction that by 2017, approximately 50% of the attacks against an enterprise network will come from encrypted traffic, bypassing controls put in place to stop attacks. This prediction means that tools like IDS, behavior-anomaly detection, next-generation firewalls will only function at about 50% capacity, letting through half of the attacks. Additionally, the Ponemon Institute recently revealed that approximately 54% of organizations said: “they lack policy enforcement and remediation for keys and certificates.”
While the survey does point out worrying figures about the underlying digital trust that enterprises rely on, it is important to note that there are ways to rebuild confidence in your keys.
3 Steps to Rebuild Confidence in Your Cryptographic Keys and Certificates
1: Know and understand where your keys are located
Many CIOs in the survey admitted to not knowing where all of their keys and certificates are located. Having a program in place to manage and monitor keys, who has access to them and most importantly, where they are located, will help build confidence in your cryptographic key management program. Knowing that your keys are accounted for will help you reduce the risk of untrusted keys.
2: Establish policies and procedures for how certificates and keys are handled
Having policies and procedures for key management, including those that ensure formal assignment of key management responsibilities in a key custodian role, will make employees managing cryptography more accountable. An established procedure will ensure that key management is handled the right way every time and when there is turnover, the next employee will be following the same procedure, and so on. The main takeaway is that the policies must be, without doubt, enforceable, and the procedures must be known, aligned with policy, implemented, and followed accordingly by key management staff.
3: Log and document all key management activities
Every time key management activity is performed (updated, changed, expired), that activity needs to be logged and documented. Metrics should be collected to get an idea of what is normal behavior and what is not. Suspicious activity or suspected key compromise should be reported and investigated.
While these are just some of the ways to protect your keys and certificates, it goes without saying that attacks coming over SSL/TLS are a real concern (as evidenced by the Heartbleed bug). The survey, which was conducted by an independent market research company, provides some important data on the health of cryptographic key management across industries, according to respondent CIO’s. Given the reliance on cryptography to protect sensitive data, protecting cryptographic keys and understanding encrypted data flows are smart first steps to combating these evolving attacks designed to evade your perimeter defenses using the same techniques used to protect your sensitive data.
Did You Like This Post?
Subscribe to CyberSheath’s blog today to receive email updates as new posts become published.