There is precious little data handled by corporations and companies that are as secretive, important, and highly-focused upon than governmental data.
Whether this data arrives as a byproduct of governmental content used in purchasing, registration, and payment, or is interacted with as part of a contract, there are a wide variety of caveats and requirements that come with this kind of content. Protecting, encrypting, and securing this data not only introduces unique challenges, but unique laws and regulations controlling the process as a whole.
In this piece, we’re going to look at governmental security, and how to protect this high profile data. We’ll look at some laws protecting civil data, and some internal laws and processes regulating the creation, sharing, and destruction of this data.
Specific Laws Regulating the Handling of Governmental Data
There are a wide range of laws that govern the interactions with data, dependent entirely on the country that creates said data - and that is where this topic becomes far more complex. For instance, there are many laws that the European Union has implemented for privacy and citizen security that the United States has not, and laws that the United States has implemented as part of their ongoing fight against terrorism that Japan or South Korea has never implemented.
Because of this diversity, international organizations and corporations are often faced with the daunting problem of navigating this minefield in a way that grants access to these markets while ensuring legal compliance.
The best bet for a corporation facing this challenge is to accept the most stringent requirements, and design from there. Most security laws are put in place to ensure CIA, or Confidentiality, Integrity, and Availability. Because of this, there aren’t many laws that contradict or conflict in a meaningful way, and often these contradictions are in extremity (i.e. keep data for 30 days rather than 15) rather than intent.
By accepting the most stringent requirements, you naturally satisfy the less stringent requirements as well, thereby ensuring compatibility with governmental security concepts.
A Brief Summary of International Data Law
Since each region has vastly different laws and approaches to data retention, the best we can do is to summarize the general concept and approach these regions and try to align a data policy alongside it.
International data law typically states the following:
- Data should have its Integrity maintained. That is, data should be provably derived from a source, and the data that identifies this source (specifically metadata in most legal specifications) must be encrypted and stored locally for a lengthy period of time (typically more than 90 days);
- Data should have its Confidentiality maintained. Data should be encrypted with high standards, and should be accessed only in ways that are specified by the data generator (in plain terms, “leaks”, storing content in plaintext, etc. is unacceptable);
- Data should have it’s Availability maintained. While this typically means in the networking world a provision of “high uptime”, when it comes to governmental data, this is even more important, and should be roughly considered “available when needed” and documented for purposes of legal and law enforcement uses.
While the specific variations within are highly variable (such as the length of time for data retention), the general concept remains the same. Retain data in an encrypted form, make it available to governmental agencies when needed, and ensure that data is used for the specific uses as agreed to by the data owner (i.e., the individual or corporation).
Generation and Storage
When we consider governmental data security, we’re actually talking about two topics - generation & storage, and destruction. Generation and storage is widely controlled, especially in the European Union.
The basic concept of most schemes in countries to control data generation is thus:
- Data must only be used in the intended manner (for instance, a social security number or other governmental identifier supplied to apply for a job should only be used for that job form, and not sold or given to any other service or business);
- The user must be aware that data is being generated.
This might seem rather simple - and in all honesty, it is. The rules can be best summarized as “don’t be evil”. The real problem though comes in storage.
When storing governmental data, the key is access, balanced with security. Yes, you could store this data on a hard drive, and put it at the bottom of Fort Knox, but you’re going to have trouble accessing it any time you need information. Conversely, you could simply store it in plain text on a public file server and access it whenever you want, but this obviously comes with the caveat that you have no security.
Thus, storage is a balancing game. There’s a few good schemes for encrypting data in a usable way that have become industry standard:
- AES - AES, or Advanced Encryption Standard, is a data encryption format used to secure sensitive but unclassified material. The standard uses 128, 192, or 256-bit sized keys to encrypt and decrypt text using an efficient algorithm.
- Triple DES - Triple DES, or Data Encryption Standard, replaced the relatively weak (and quickly hacked) DES standard. Triple DES uses 112-bit keys, and though it’s not as strong as AES, it is still used widely in hardware encryption and software encryption in the banking industry.
- RSA - RSA, which is short for the surnames of its creators, is an encryption standard that, due to its slowness, is usually used to pass keys for other, faster decrypting solutions.
- Twofish - Twofish, a successor to earlier encryption standard Blowfish, uses an encryption key that can be up to 256 bits in length. The encryption process is symmetric, meaning it only takes a single key. The method is incredibly fast, often considered the fastest of its kind, and is used in many open source methodologies and programs.
Data Destruction is a very interesting subject when it comes to governmental data. Because data needs to be collected and stored in a specific way, it must also be deleted in a specific way so as to ensure the data is entirely, completely, and irrevocably deleted.
Interestingly, the specific type of destruction is specified in most cases by the governmental entity that has generated it, and unlike in creation and storage, this methodology is often specifically demanded.
For instance, governmental data generated in Germany is likely to be subject to the German Federal Office for Information Security Overwriting Standard, which requires 3 rounds of overwriting, and a non-uniform, complimentary pattern.
Data generated in Australia might be subject to the Australian Government ICT Security Manual 2014 Controls section, which specifies a random overwrite pattern and a single overwrite pass, with top secret or sensitive media facing degaussing.
While much of this concerns secret data, governmental data is often covered under the same stringent guidelines through implication and association, and in many cases, there might not be any sort of direct guideline at all outside of this “implied restriction and suggestion”.
The good news is, data destruction can be handled in the same way generation is - follow the most stringent, and you’ll naturally cover the lesser as well. Clarabyte offers a solution called ClaraWipe that offers a wide range of solutions for data destruction. These solutions meet or exceed the following standards:
- Sarbanes-Oxley Act (SOx)
- HIPAA & HITECH
- The Fair and Accurate Credit Transactions Act of 2003 (FACTA)
- US Department of Defense 5220.22-M
- CSEC ITSG-06
- Payment Card Industry Data Security Standard (PCI DSS)
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- EU data protection directive of 1995
- Gramm-Leach-Bliley Act (GLBA)
- California Senate Bill 1386
By ensuring you meet the most stringent of data destruction protocols, you’re not only doing right by your customers, but right by the law.