Encryption is embraced the world over as one of the most effective ways to safeguard sensitive and confidential information. Implemented just right, it can apply a level of security that is virtually impossible to break. That deadbolt-like effectiveness is a big reason why encryption is mandatory for government IT systems. It’s also a standard in the unrelenting compliance frameworks designed to keep them in line.
NIST and a New Encryption Twist
The National Institute of Standards and Technology is a government-funded agency that develops standards to help meet compliance requirements. Encryption is one of the core security technologies it builds guidelines arounds. NIST is constantly working on new standards to drive innovation in the government, science, and technology sectors. But its latest take on encryption may have compliance implications across multiple industries.
Earlier this year, NIST released the final guidelines for new cryptographic standards. Reportedly over two years in the making, the outline comes in response to a volatile threat landscape. High profile data breaches seem to happen on a regular basis. The standard implementation process revolves around nine key values, which include usability, integrity, transparency, and global acceptability. The agency’s main focus is the federal government. But NIST wants the reformed process to foster better security for IT systems across industries worldwide.
FPE / Format Preserving Encryption
In addition to releasing new guidelines, NIST introduced an all new encryption standard to further bolster data security. The standard is essentially a guide for using a method security experts calls “format-preserving encryption” or FPE. This is based on the long-time encryption standard AES. Previous NIST standards were problematic for legacy IT environments, because certain applications only support certain data formats. Working around this limitation was often cost prohibitive. Instead of fitting the data to the environment, the new format adapts the data into the environment. This means organizations can effectively secure their data without performing tedious overhauls of their existing environments.
The origins of FPE can be traced back to the early 1980s, but its use in the commercial sector only happened in the last two years. Heartland Payments Systems adopted it after a 2009 security breach led to the exposure of over 130 million credit and debit card numbers. NIST is hoping this new encryption method will become standard protocol for protecting sensitive data in the government and healthcare industries.
From Guidelines to Standards: FIPS
Once approved by the Secretary of Commerce, NIST standards and guidelines become Federal Information Processing Standards. FIPS standards dictate how non-military government agencies and contractors handle various data-related processes for IT systems. Among them are cryptographic standards NIST publishes to determine what methods government organizations can use to generate encryption keys and encrypt data. They also include what types of information needs to be protected.
There are a number of FIPS standards, and since it impacts the vast and lucrative government market, FIPS 140-2 is probably the most active. FIPS 140-2 encompasses the design, creation, and implementation of cryptographic systems and the algorithms that support them. With the 2015 withdrawal of FIPS-185 (EES), this particular standard is currently defined by two approved encryption algorithms:
1. Advanced Encryption Standard (AES) is the most common form of encryption in modern hardware and software applications. The AES algorithm is fast, incredibly flexible, and up to this point, still provides bulletproof protection against cryptographic attacks.
2. Triple Data Encryption Standard (3DES) was introduced to temporarily replace the original Data Encryption Standard (DES). 3DES applies the encryption process a total of three times, making it slower, yet more secure than its predecessor. While AES is the permanent replacement to DES, NIST continues to recognize 3DES as a reliable encryption algorithm.
Bundled into certified hardware and software applications, FIPS encryption provides a major selling point for vendors targeting the government market. Microsoft Windows is a perfect example as the operating system offers the ability to enable FIPS-compliant encryption for government networks.
Connecting the Dots of Compliance
There are so many standards and rules to adhere to. You might think regulated organizations are constantly spinning their wheels to satisfy different compliance obligations. The good thing about this is that conforming to one set of standards can make it a lot easier to fall in line with others. For example, the NIST cybersecurity framework is incredibly comprehensive. It covers enough bases that organizations can achieve enough data protection and privacy regardless of size or industry. In fact, NIST standards are often as a guideline for meeting the Security Rule of HIPAA compliance (the Health Insurance Portability and Accountability Act).
Likewise, the cryptographic components of FIPS can help organizations minimize some of the most tedious requirements of the Health Information Technology for Economic and Clinical Health (HITECH) Act. Though it is an entirely different set of rules, HITECH adds another layer of complexity to HIPAA. It will both improve security and increase liability for non-compliance. While encryption isn’t technically a HITECH rule, using a FIPS standard algorithm could enable an organization to bypass breach notification provisions. So if you can show that took steps to protect your healthcare data, you may not have to notify patients or the media that a breach occurred. This goes a long way in preserving the trust of the public, following a crisis.
How To Make Sure Your Business Is Compliant
No matter what field you operate in, making yourself familiar government-related compliance standards can make life easier for your IT team. Also, it can greatly improve your data security strategy in the process. Think of it this way: if it’s sufficient for government security, then it’s probably good enough for my business.
We’ll leave you with some pointers on how to effectively merge the aforementioned compliance standards with your own business requirements.
Get in sync: The first step is understanding the role a secondary compliance framework can play in meeting HIPAA, HITECH, or other requirements. You should get a feel for the standards and terminology to see how a given set of standards align with your business.
Get educated: NIST has published a series of guides for compliance and IT security in general. From HIPAA security to risk assessment, this collection is an excellent resource carving out an IT environment fit for any virtually any compliance framework.
Get integrated: Applying standards from multiple compliance frameworks can greatly improve your overall data security strategy. There are a plethora of options in the way of training programs, consulting services, and tools available to help you weave one set of standards into your existing IT environment and processes .