By From IC Insider Thales Trusted Cyber Technologies
By Gina Scinta, Deputy CTO, Thales Trusted Cyber Technologies
As digital transformation continues driving change in federal agencies’ operating environments, the need for edge-level data protection has never been greater. Cloud and edge environments are essentially becoming micro data centers, taking on many of the IT core infrastructure characteristics formerly reserved for large HQ facilities. Bolstered by renewed interest in the Modernizing Government Technology Reform Act, there has been a rise in core-level IT capabilities at the network edge government-wide.
This interest, however, introduces some challenges for extending core-level security to edge environments. For example, solutions for these edge environments may be constrained by specific, size, weight and power demands, and may require more elaborate data protection technology.
When developing an ecosystem to protect data at the edge, it’s important to consider several key principles, namely size constraints, the threat of hostile access, managing cryptographic keys, controlling access, protecting mission-critical data in transit, and complying with regulatory requirements.
Right-sizing edge solutions to defend data access
The government’s size, weight and power (SWaP) requirements for equipment in tactical areas are very specific. That, along with the extreme conditions in the physical environment at the network edge, creates demands on both durability and compactness in edge security solutions.
Add to these demands the need for data security in the event of equipment being taken by other parties during conflict and you begin to understand the scope and complexity of edge network technological capabilities.
Edge equipment must come with a cryptographic erase solution that protects encrypted data. In fact, the military generally follows NIST policies for the destruction of physical media after a sanitation process. This process typically requires overwriting drives multiple times to ensure data is properly erased.
To simplify this process somewhat, data encryption keys can be erased or destroyed, obviating the need to sanitize the storage drive itself. The data itself remains encrypted and inaccessible, no matter who might control the physical equipment.
These simpler types of protective measures are essential for edge products because users at the edge may not have as much experience with data security measures as their counterparts in headquarters data centers. Default configurations must be secure and easy to understand.
Also, keep in mind that edge systems are also susceptible to connectivity issues. Consequently, such systems must be able to store and secure data locally, sending new or updated data back to the core or the cloud after the connection is restored. As an added concern, multiple connected units must be configurable at the enterprise level.
The importance of centralized key management
We wrote earlier about the usefulness of data encryption keys in limiting data access. Such keys are particularly important at the edge, where an organization’s IT security teams may need to manage multiple cryptographic keys and a variety of encryption solutions.
Unfortunately, native key management solutions are not typically interoperable. As a result, system administrators often store cryptographic keys in the same location as encrypted data – which does not follow best practices for key management and practically invites exploitation.
The answer here is to ensure centralized key management. By doing so, an organization has secure storage and backup of encryption keys. Access control policies are defined. Encryption tasks can be separated from key management tasks. The entire key lifecycle is more properly addressed – from key creation, rotation, backup and destruction. In edge environments, where keys can be susceptible to compromise, this approach is indispensable.
When deciding on appropriate cryptographic products, it’s important to look for solutions with hardware security modules (HSMs) as removable tokens. HSMs act as the root of trust for encryption solutions. These removeable tokens can be ideal in edge environments, because detachable tokens keep essential data safe, even in the most remote or hazardous locations. Without the root of trust, encryption keys remain secure on the edge device and are not accessible without the HSM token.
Control access with multi-factor authentication
With apps, services, and data in the cloud, accessed through devices at the edge, everyone becomes an outsider. That creates a genuine need to establish and enforce identity and access security policy safeguards for assets in the cloud, on-premises, and at the edge.
New threats and risks are heightened as operational requirements change, demanding a simple but scalable solution for authentication. Multi-factor authentication, therefore, is the most secure way to limit access to data and applications, particularly at the edge.
With multi-factor authentication at the edge, organizations can be assured of better access control across multiple environments. This is true no matter which devices are used, and whether data is maintained locally, on-premises, or in the cloud.
Protecting data in transit
The demand on high-speed wide-area networks has been pushed with cloud migration of data, global collaboration, and bandwidth requirements at the edge.
Huge amounts of data are traversing the network and consequently under constant threat. It is essential to encrypt everywhere – both data in motion and at rest.
Data in transit is best protected by network encryptors which allow people, organizations and locations to securely share information. Network encryptors protect data, video, voice, and metadata from eavesdropping, surveillance, and overt and covert interception which is critical at the edge.
Vendor agnostic interoperability is critically important for these solutions, to make it easier on network architecture and IT professionals. Also important is the flexibility to adapt to changing security and network requirements.
Security compliance policies and regulations
Compliance with security requirements is a critical part of minimizing vulnerability at the edge, where susceptibility to attack is considerably greater. To ensure compliance, enterprise-level security policies must be applied across all architecture, including the edge.
Organizations need to look for solutions that carry certifications from multiple organizations, including FIPS 140; the Commercial Solutions for Classified program, and the Committee on National Security Systems Memo #063-2017. The Department of Defense’s Information Network Approved Product List, which had been a repository for such solutions, was sunset in December 2025. Cybersecurity requirements are in the process of transitioning to the DISA RME Vendor Security Technical Implementation Guides (STIG) program.
The challenge of building an IT infrastructure with hardened security that extends to the very edge can seem daunting. By considering these five aspects, it will become significantly easier to develop a system that appropriately controls access and protects data at rest and in transit – from the core to the cloud to the edge.
About Thales TCT
Thales Trusted Cyber Technologies, a business area of Thales Defense & Security, Inc., protects the most vital data from the core to the cloud to the field. We serve as a trusted, U.S. based source for cyber security solutions for the U.S. Federal Government. Our solutions enable agencies to deploy a holistic data protection ecosystem where data and cryptographic keys are secured and managed, and access and distribution are controlled.
For more information, visit www.thalestct.com
About IC Insiders
IC Insiders is a special sponsored feature that provides deep-dive analysis, interviews with IC leaders, perspective from industry experts, and more. Learn how your company can become an IC Insider.
