Government Encryption Solutions: Best Practices for Evolving Standards and Regulations

Don Wiggins

Government agencies are rapidly modernizing their IT infrastructures and services in accord with numerous strategic initiatives, mandates, policies and oversights promulgated by the federal government. This multi-year transition is forcing nearly every organization to transition from legacy data centers to more efficient cloud infrastructures and develop effective means to facilitate inter-agency collaboration while securely managing vital data.

Multiple federal initiatives set cloud direction

A single act can have a far-reaching impact. Initiatives such as the Federal Information Technology Acquisition Reform Act (FITARA) passed in 2014 require federal agencies to provide the Office of Management and Budget (OMB) with:

  • A comprehensive inventory of existing data centers.
  • A strategy to consolidate and optimize these data centers.
  • Quarterly progress reports regarding the agency’s strategy.

FITARA is intended to reduce IT resource duplication and waste, consolidate data acquisition and management functions and increase cost savings. More than two dozen major agencies including the Department of Defense, Department of Homeland Security, Social Security Administration and military departments are impacted by this act.

HSM as a Service is available from Equinix as SmartKey and is underpinned by technical functionality that gives agencies the ability to implement encryption key solutions to support federal standards as well as their unique agency requirements.

In the same year, the Federal Information Security Modernization Act (FISMA) was also signed into law. FISMA empowers OMB to provide government-wide cybersecurity guidance and policy. It codifies the Department of Homeland Security’s role to administer and implement information security policies for federal executive branch civilian agencies. This includes monitoring agencies’ policy compliance and assisting OMB in developing cybersecurity policies. FISMA also promotes more efficient and detailed reporting of major security incidents and data breaches.

In 2018 the Modernizing Government Technology Act was enacted and in 2019 Federal Cloud Computing Strategy (aka Cloud Smart) was released. All of these continue the emphasis on transitioning to modern platforms and technologies like cloud computing while ensuring that cybersecurity protections are in place.

Most agencies use multiple cloud providers

Similar to the private sector, government agencies have found that transitioning their data and applications to the cloud typically requires the use of multiple cloud providers. It’s rare that a single cloud provider meets all of an agency’s needs. Hybrid multicloud environments have become the norm. These cloud-smart infrastructures are allowing agencies to:

  • Avoid the heavy lifting and cost of duplicating data from one agency data source to another.
  • Move petabytes of data to cloud locations (at the edge) to bring data closer to agency consumers and reduce latency to improve application performance.
  • Share data with other agencies to collaboratively support organizational missions and objectives.
  • Facilitate real-time analytics for decision support to improve the quality and efficiency of everything from basic public services to national security functions.

The ability to liberate data from legacy agency data centers and share information via the cloud is giving agencies a significantly greater ability to collaborate in delivering better quality services. As the Global Interconnection Index (GXI) Volume 3 mentions, the move is also allowing agencies to improve the performance of latency-sensitive workloads by taking advantage of secure, direct interconnections that minimize the distance between data, applications, clouds, and citizens.

Numerous federal agencies have already made the move to Equinix.

Transition to the cloud requires rethinking government encryption solutions

The transition to cloud environments brings new challenges in managing data security. In today’s cloud environment, data is a collaborative asset that needs to be securely shared. Government data encryption solutions must be supported by an effective and efficient encryption key strategy, one that delivers required security while simultaneously simplifying management.

With data widely distributed among hybrid and multicloud environments, long-trusted hardware security modules (HSM) used in agency data centers don’t readily support cloud environments. Protracted procurement and provisioning cycles prevent on-demand deployment and rapid scaling. Key management services available from cloud providers work only within the individual provider’s environment. Agencies need a government encryption solution that is easily deployed across multiple cloud environments.

Government agencies are addressing the challenge of encryption key management in hybrid and multicloud environments with an HSM as a Service strategy. This cloud-native approach addresses the requirements for a government encryption solution through the following:

  • On-demand deployment without the need for hardware procurement and provisioning.
  • Scalability to meet dynamic processing demands.
  • Cloud-neutral encryption key management for Amazon, Azure, Google, IBM and Oracle environments.
  • Central management of the full encryption key lifecycle regardless of the cloud platform hosting the encrypted data.
  • Ability to locate encryption functionality proximate to cloud providers to minimize latency and improve application performance.

HSM as a Service is available from Equinix as SmartKey and is underpinned by technical functionality that gives agencies the ability to implement encryption key solutions to support federal standards as well as their unique agency requirements.

  • Support for PKCS #11, CNG, JCE, Key Management Interoperability Protocol (KMIP) and RESTful APIs for application development and integration.
  • BYOK to easily incorporate and apply existing encryption keys in cloud environments.
  • Cryptographic protection where only authorized users have access to encrypted keys.
  • An added level of security by storing keys in an entity separate from, yet proximate to,  encrypted data.
  • Availability via a secure private backbone network across global data centers to connect to multiple cloud providers.

SmartKey offers rapid deployment and scalability, centralized management of encryption keys and the ability to place encryption key management services in locations that optimize data security and processing performance.

SmartKey and Equinix Cloud Exchange enable best practices

Numerous federal agencies have already made the move to Equinix. Using Platform Equinix, our global interconnection platform, agencies are interconnected via dynamically provisioned Equinix Cloud Exchange Fabric™ (ECX Fabric) that provides private, proximal access to major cloud providers. SmartKey hosted on Platform Equinix and provisioned on-demand provides a cloud-neutral means of managing encryption keys across widely distributed cloud environments to provide a best practice government encryption solution for data security.

Don Wiggins
Don Wiggins Senior Global Solutions Architect at Equinix