Red Tape Trips Up Security

IRVINE, Calif. -- Data Protection Summit -- Lack of communication between storage vendors and federal government is hindering agencies' security efforts, according to IT managers here today.

Speaking during a panel discussion this morning, Lynn Saxton, a systems administrator at the Los Alamos National Lab warned that most disk encryption vendors have still not met the demands of FIPS PUB 140-2, a critical government cryptography requirement. "We're required to be a FIPS environment, [but] not everyone gets their device certified," he said.

FIPS, or the Federal Information Processing Standards, is a set of specs for encryption, authentication, access, archiving policies, and data transfer, among other functions.

The exec admitted that this is limiting technology choices at Los Alamos, which is at the forefront of U.S. nuclear research. "It would make my life much easier," he says. "There needs to be collaboration between government and industry to develop solutions that we're able to use."

Increasingly, government agencies are coming under pressure to bolster their security strategies after a series of embarrassing storage snafus at the Department of Veterans' Affairs, NASA, and the Los Alamos Lab. (See Pundits Ponder Potential Pitfalls, NASA Goes to the Dark Side, Latest From Los Alamos, and Los Alamos Launches Monitoring System.)There are only two FIPS-compliant drive encryption hardware vendors on the market; SecureD and Secure Data Vault (SDV), according to Saxton. A number of software firms, including PointSec and GuardianEdge are playing in this space.

Los Alamos is testing all these products, although Saxton was unwilling to divulge any more information about the lab's IT infrastructure.

Drive vendors taking part in this morning's panel complained about the length of time it takes to get their products FIPS-compliant. "Our flash drives have encryption built in, but it's not FIPS-certified," said Ron LaPedis, product marketing manager at SanDisk, explaining that it can take a year and a half to get FIPS validation. "That's the lifetime of a drive," he explained.

These sentiments were echoed by another panelist, David Anderson, director of strategic planning at Seagate: "We need a process that fits better with the products that we're building," he said".

At least one top government official sitting in the audience admitted that this situation could be improved. "We realize that the certification process is not as dynamic as the evolution of technology - collectively we have to find a middle ground," said Dave Kreft, engineering leader in the National Security Agency (NSA)'s Information Assurance Directorate.It is not just drive encryption where red tape is standing in the way of government technology deployments, according to Saxton. "With Open SSL, that just came through FIPS certification and that took just over three and a half years," he said.

The NSA is now planning a new strategy it hopes will resolve some of these issues by placing more of the validation burden at the vendor's door. The Commercial Off-The Shelf (COTS) strategy, which is currently being developed, will require vendors to declare that their products meet U.S. government security standards and is likely to impose financial penalties for firms that subsequently fail to meet requirements.

NSA official Trent Pitsenberger is currently pushing COTS forward in an attempt to speed up government technology buying. "It's still just a proposal," he told Byte and Switch. "We want to be certain that our COTS strategy will work on the same timelines as commercial industry."

— James Rogers, Senior Editor Byte and Switch