Leveraging Encryption Keys to Better Secure the Federal Cloud 


In the same way we use a key to lock valuable assets in a safe deposit box, agencies can lock up encryption keys.

Deltek’s Federal Cloud Computing Market, 2020-2022 Report predicts federal cloud investments will reach $7.8 billion by fiscal 2022. For government agencies, migrating resources to the cloud increases flexibility, efficiency and promises enhanced security features. But in a cloud-centric world, security is increasingly complex. While security tools do exist within platforms, users may accidentally or unknowingly disable security features.

Additionally, cloud-based applications must be protected from cloud infrastructure attacks, including insider threats. This requires encrypting data at rest and end-to-end encryption for data-in-transit. Taking it a step further than encryption itself, agencies must consider security and access to the keys used to encrypt data. 

Have You Seen My Keys?

When employing a cloud solution, agencies may enlist multiple providers to create a multi or hybrid cloud environment. Utilizing multiple clouds can mean encryption keys end up stored in more than one location across various infrastructures, enhancing the risk of the keys falling into the hands of a bad actor.      

In the same way we use a key to lock valuable assets in a safe deposit box, agencies can lock up encryption keys for personally identifiable information, such as email addresses and mobile device management credentials. Locking encryption keys grants agencies the ability to control access to keys, manage key rotation and handle data within a specific region, which is especially helpful in government, as agencies face FISMA compliance regulations.

The cloud will continue to grow in importance for federal agencies and the time is now to ensure the government cloud is as secure as possible. The Cloud Security Alliance recommends encrypting data in the cloud and managing the encryption keys on-premises within a FIPS-certified boundary. Keys should be managed and secured in a FIPS 140-2 certified key manager. 

Tamper-resistant FIPS 140-2 Level 3 Hardware Security Modules provide the highest level of security against internal and external threats that may result from an increased number of endpoint devices connecting to resources via the cloud.

Cloud Encryption and Mobile Applications

Cloud-based applications often connect directly to mobile and other endpoint devices. By processing and storing data on the cloud, mobile applications can function more efficiently, extending battery life and improving reliability. However, with multiple cloud applications connecting to agency resources through mobile devices, the threat landscape is greatly expanded.

Cloud-based applications on mobile devices can also serve as entry points for bad actors through malicious apps, mobile phishing and more. As such, encryption and other cloud security must extend to mobile.  

Protection on mobile devices needs to include, but go beyond, cloud encryption for comprehensive mobile endpoint security. Precautions, such as user education and a zero-trust policy that extends to mobile, can ensure mobile devices—and the information they contain— stay safe. 

To fully protect an agency and its information, mobile security needs to protect applications, networks and devices from phishing and other mobile threats. While workers may be able to identify phishing attacks on desktops or laptops, it becomes much more difficult on mobile devices. Attacks may be harder to spot due to small screen size and layout of a mobile device but can gain the same access to agency data if successful. 

Cloud Is Here to Stay

As agencies continue to prioritize cloud in a government, the ability to manage encryption keys offers assurance that sensitive data can never be accessed or controlled by unauthorized individuals. This includes apps on mobile endpoint devices, which constantly communicate with the cloud, transferring data to and from the device. Mobile security must extend to the cloud, keeping agencies and the devices accessing their resources protected from cybercriminals and malicious nation-states as attacker strategies evolve.

Tim LeMaster is vice president of WW Systems Engineering at Lookout.