Home  /  Empower and Protect  /  Encryption is Key to Building a Secure Identity Management Solution

Encryption is Key to Building a Secure Identity Management Solution

By Keith Wojciech •  March 20, 2017

In a non-descript courtyard on the grounds of the CIA in Langley, Virginia, sits a sculpture of copper plates resembling a large scroll inscribed with hundreds of Latin characters.

Created by American artist Jim Sanborn 25 years ago, the 12-foot-high sculpture entitled “Kryptos” contains four hidden messages within those Latin letters – the first three of which were cracked by expert cryptologists at the NSA. Kryptos is a physical manifestation of the ever-present application of cryptography in our nation’s most security-minded agencies and technologically advanced institutions.

Tides of War

During WWII, the Nazis possessed advanced electro-mechanical cipher machines designed to protect commercial, diplomatic, and military communications. These “Enigma” machines gave the Axis powers intelligence advantages that helped them stay one step ahead of the Allies during the early days of Nazi Germany.

Efforts by Polish, French, and British cryptanalysts and Allied military personnel led to significant breakthroughs in cracking the Enigma machines. As western Supreme Allied Commander Dwight D. Eisenhower put it, these efforts were “decisive” to the Allied victory.

(Some of these events are dramatically portrayed in such major motion pictures as The Imitation Game, Enigma, and U-571.)

New Battlefields

Today, the primary battlefield of the world’s cryptographic wars are fought in cyberspace. World powers spend billions on mitigating the greatest modern threats against their infrastructures, intelligence communities, and defense systems and invest in developing the latest encryption technologies to combat these virtual intrusions.

The U.S. federal government also mandates that many of its high-value asset systems managing data such as personally identifiable information (PII) must adhere to strict cryptographic protocols and standards like the Federal Information Processing Standard (FIPS) Publication 140-2, issued by the National Institute of Standards and Technology (NIST).

Laying a Solid Foundation

Solutions such as the Telos ID Designated Aviation Channeling (DAC) service and FBI-authorized fingerprint background check service IDVetting™ interface with the TSA and the FBI, respectively, and are undergirded by such protective cryptographic standards.

The NIST Special Publication SP 800-53 rev 4 establishes the security and privacy controls framework for U.S. Federal Government information systems and organizations. These assessment guidelines inform the development, operational, and maintenance aspects of system life cycles using such industry standard security controls as Access Control, Audit and Accountability, Contingency Planning, and System and Information Integrity to name a few. Many of these controls deal specifically with data encryption standards and procedures, and play a significant role in comprehensive security controls assessments (SCA) conducted prior to systems being granted an Authority to Operate (ATO) by the U.S. federal government.

Telos ID system administrators and information security system officers (ISSOs) work continuously with their government security counterparts to research, develop, implement, test, and review our information security and to ensure fully compliant FIPS 140-2 cryptographic standards are in place governing both data in transmission and at rest. These layers of encryption help increase data integrity and provide the secure infrastructure in which sensitive data can inform their security-minded user populations with critical intelligence.

Conclusion

Though the Allies ended up cracking the Enigma codes, it was largely systematic flaws and operational mistakes on the part of the Nazis that led to its compromise. You can have the greatest technologies in the world but if you don’t have the wisdom to apply them, all may be for naught.

Organizations and cyber security personnel cannot know every possible attack vector on their systems, but they should feel a strong responsibility – and duty – to consider relevant security controls and cryptographic standards when conducting business and transacting data in a worldwide connected ecosystem.

Keith Wojciech

Keith Wojciech

Keith has 16 years of experience managing and delivering IT solutions for federal and commercial customers. See full bio...

The Empower and Protect Blog brings you cybersecurity and information technology insights from top industry experts at Telos.

Leave a Reply

Your email address will not be published.

twenty + 11 =