President Donald Trump’s recently released Executive Order on “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” is accurately described as a “plan for a plan.” Given the state of federal government Information Technology (IT), however, it is a good place to start. As White House advisor Tom Bossert said upon the order’s release, “antiquated and outdated systems” have been partly to blame for catastrophic breaches like the 2015 intrusion into the systems of the Office of Personnel Management (OPM). One key aspect of the new directive is a requirement that federal agencies favor the use of shared IT services, including cloud-based ones. Especially for such a massive organization as a national government, using the cloud represents an effective way to consolidate and streamline acquisition projects while facilitating rapid security updates.
We have written before, however, about how moving to the cloud has its own risks. As the government seeks to take advantage of its benefits, it should strive to end-to-end encrypt all data, not store encryption keys in the cloud, and ensure that an attack on privileged administrator accounts does not compromise an entire organization’s information. PreVeil, born out of research at MIT, does all of these things by default. Both the public and private sectors can take advantage of its elegant design and integrated security measures to safely use tools such as email, file sharing, and data storage.
The safest way to work and communicate in the digital age is to encrypt data throughout all stages of transmission, only deciphering it at the device of a user authorized to read it. This model, end-to-end encryption, should form a cornerstone of the government’s efforts to secure data in the cloud. Although some IT services that the government currently uses, such as Microsoft Office 365, do encrypt data in transit, they do not do so end-to-end. This information is thus vulnerable to theft by intruders who can gain access to it by breaching the provider’s servers. Amazingly, as late as 2015, the OPM did not use encryption at all for some of its sensitive data because parts of its IT infrastructure were too old to facilitate doing so.
PreVeil end-to-end encrypts all user data by default. That means that an email or file is encrypted before it leaves the sender’s device and is only decrypted at the computer or mobile device of the intended recipient. No one else, not even our employees can read the user’s data, which remains protected even if the servers storing it are breached. This makes PreVeil an excellent tool for any enterprise seeking to reduce the vulnerability of large repositories of information stored in the cloud, including the federal government.
Just encrypting data end-to-end is by itself not sufficient to protect information. Where the decryption keys are stored is also a critical consideration. An estimated 37% of enterprises give cloud providers complete control of the cryptographic keys to their sensitive communications. Even when using encryption, such organizations remain vulnerable to breaches; if attackers compromise the cloud provider’s servers, they can still steal decryption keys and unlock the organization’s data. PreVeil avoids this risk by storing users’ private cryptographic keys locally, only on authorized devices. We do not have access to the decryption keys, which are controlled by the end users (and ultimately the organizations where they work). Incredibly, some companies are headed in the other direction, offering to create centralized repositories of encryption keys for government data. Such schemes create the potential for catastrophic breaches if attackers steal these consolidated key stores. PreVeil users both avoid this risk and, with the ability to approve the transfer of keys to multiple computers and smartphones, can take advantage of the convenience afforded by multiple-device access.
Most IT systems, including those used in the federal government, rely on administrators with vast “super user” privileges. In the OPM hack, the intruders took control of such accounts before exporting massive amounts of sensitive government personnel information. “Super user” accounts do not just represent a vulnerability to external attackers; disgruntled insiders have exploited them as well. Edward Snowden, who revealed some of the government’s most closely held programs, was not an analyst working on them but merely an information technology specialist responsible for transferring data between servers. PreVeil neutralizes the threat of rogue administrator accounts by distributing the authority necessary to access enterprise data among multiple administrators with an innovative concept called Approval Groups™.
Using these Approval Groups™, PreVeil fragments and distributes keys among multiple administrators. When an organization needs to conduct a privileged activity, such as accessing a particular user’s information, a pre-determined number of administrators must “approve” the action. This means that an attacker cannot compromise an organization’s data by targeting a single administrator. Furthermore, even if intruders hijack such an account, they cannot force approval for privileged actions because Approval Groups™ are enforced cryptographically and not merely through business logic. Unfortunately, Amazon’s GovCloud uses the latter method, rather than distributed cryptographic keys, to authorize administrator access to enterprise data. This represents a critical vulnerability that federal departments and agencies should seek to correct as they implement the recent Executive Order. Indeed, employing Approval Groups™–a unique PreVeil security feature–could help the White House achieve its goal of better protecting government data in the cloud, while still retaining access to it when necessary.
Although light on specifics, the recent Executive Order is generally on the mark. Instead of 190 agencies all pursuing their own systems, policies, and security measures, consolidating government IT services and taking advantage of the flexibility and scalability of cloud storage makes sense. The government, however, must implement its move to the cloud carefully using the aforementioned principles. Going forward, end-to-end encryption of all data should be an absolute requirement for federal systems. Maintaining strict control of the cryptographic keys needed to access sensitive information, and storing them locally whenever possible, should be another priority. Finally, the federal government should strive to eliminate or at least reduce “super users” with vast administrative privileges, as they represent a central point of attack. Employing these best practices will help safeguard the systems that the executive branch operates “on behalf of the American people.”