Enterprise Edge Security: A Strategy Checklist
From IC Insider Thales Trusted Cyber Technologies
By Gina Scinta, Deputy CTO, Thales Trusted Cyber Technologies
In the past, it may have been enough to think about data protection at the core or strategic level. Today, however, defense, intelligence and civilian agencies must extend their data protection strategies all the way to the tactical edge.
The reason for this change in strategy is the way federal agencies’ operating environments are being influenced by digital transformation. An agency’s IT core infrastructure capabilities, previously maintained in headquarters data centers, now are available in cloud and edge environments, effectively making them micro data centers.
Take the Department of Defense, for example. Command posts, mobile command centers – even vehicles, ships and planes – now have core-level IT capabilities. Similarly, at the civilian level, micro data centers exist at the edge, in embassies, hospitals, and branch or field offices.
There are numerous core-level security concerns at these edge environments, ranging from weather conditions to bandwidth issues. Solutions to these edge environment concerns have specific size, weight and power constraints, depending on the environment. Additionally, technology to protect data is necessary for edge environments in case that equipment is compromised.
It’s important, therefore, to create an effective ecosystem that can protect data at the edge. There are several key considerations to ensure a successful strategy. Let’s take a closer look.
Size concerns and protection from hostile access. The physical environment is a serious aspect for edge security. The government maintains specific size, weight and power (SWaP) requirements for equipment in tactical areas, as well as how durable it is in extreme conditions. And because there is also the reality that equipment may fall into the wrong hands, data security strategies for such circumstances is essential. NIST has sanitation policies, emulated in military standards, that address destruction of physical media after overwriting drives multiple times.
Ideally, edge security products should come with a cryptographic erase solution to protect encrypted data. Cryptographic erase enables data encryption keys, used to encrypt/decrypt data, to be erased or destroyed without destroying the storage drive. Regardless of who controls the physical equipment, data will remain encrypted and inaccessible.
Because personnel at the edge may lack experience with data security, edge products must be simple to use, with secure, easy to understand default configurations. And because systems at the edge may potentially suffer connectivity issues, they must be able to store and secure data locally. That data can be sent back to the core once the connection is restored. Units must be configurable at both the enterprise and local level. When connecting multiple units, these units must be manageable and configurable at the enterprise level.
Cryptographic key management. Data encryption at the edge can be difficult for an organization’s IT security teams. These teams must manage multiple cryptographic keys for many different encryption solutions with native key management capabilities. Native key management solutions are usually not interoperable, however; this means that system administrators may end up storing cryptographic keys and encrypted data in the same place.
Because of behaviors like this, centralized key management solutions are essential. Centralized key management solutions allow for secure storage and backup of encryption keys. Access control policies also are better defined and encryption tasks can be separated from key management tasks. These key management solutions provide key lifecycle management- from creation, rotation, backup, and destruction. These tasks are vital at the edge where keys are particularly vulnerable.
Ideally, organizations should look for cryptographic key management solutions that offer hardware security modules as removable tokens. Such products are ideal for the edge, because removing a detachable token keeps encrypted data safe, no matter how remote or hazardous the tactical environment may be.
Authentication and access control. New threats and risks can be worse at the edge because of shifting operational requirements. That calls for simple, scalable solutions for authentication.
The most secure way to limit access to data and applications is through multi-factor authentication. At the edge, it’s important to deploy multi-factor authentication across multiple environments. This will secure access no matter which devices are used, or whether data is maintained locally, on-premises, or in the cloud.
Protection for mission-critical data in transit. Cloud data migration, global collaboration, and bandwidth requirements at the edge have all made much greater demands on high-speed wide-area networks. Data moving across the network is under constant threat, so encrypt everywhere, for both data in motion and at rest.
In transit, data is best protected by network encryptors that enable people, organizations and locations to securely share information. Such network encryptors protect data, video, voice, and metadata from eavesdropping, surveillance, and overt and covert interception. At the edge, that level of encryption is critical.
To make it easier on network architecture and IT professionals, it is critically important to look for solutions with vendor-agnostic interoperability. Flexibility is also important, because as we’ve previously noted, security and network requirements are continually changing in edge environments.
Compliance. IT environments become increasingly susceptible to attack as they move out to the edge. Minimizing vulnerability means ensuring compliance with security requirements. To ensure compliance, the same enterprise-level security policies must be used across the architecture. Consequently, look for solutions with certifications from multiple organizations. These certifications include FIPS 140, the Commercial Solutions for Classified program, Committee on National Security Systems Memo #063-2017, and Department of Defense’s Information Network Approved Product List.
Building an IT infrastructure with hardened security that extends to the very edge might seem like an almost insurmountable challenge. But if you take these considerations into account, you’ll find it much easier to develop a system with appropriate access controls – one that protects data at rest and in transit, from the core to the cloud to the edge.
About Thales TCT
Thales Trusted Cyber Technologies, a business area of Thales Defense & Security, Inc., protects the most vital data from the core to the cloud to the field. We serve as a trusted, U.S. based source for cyber security solutions for the U.S. Federal Government. Our solutions enable agencies to deploy a holistic data protection ecosystem where data and cryptographic keys are secured and managed, and access and distribution are controlled.
For more information, visit www.thalestct.com
About IC Insiders
IC Insiders is a special sponsored feature that provides deep-dive analysis, interviews with IC leaders, perspective from industry experts, and more. Learn how your company can become an IC Insider.