The U.S. government has overseen the development of encryption standards for decades. As cyberattacks grow more sophisticated and new threats loom, the federal government continues to spearhead efforts to advance these encryption standards to protect data and stay one step ahead of hackers.
To meet data security requirements, public sector agencies must adopt a multi-layered security strategy. This includes patching software, monitoring networks, adding new security solutions, data loss prevention tools and data encryption.
In May of 2021, The White House reported that President Biden issued an executive order on cybersecurity that requires agencies to take a comprehensive security approach. This includes implementing a zero trust architecture, deploying multi-factor authentication and encrypting data at rest and in transit.
Agencies can use solid state drives (SSDs) to encrypt data stored in their data centers and in their employees’ desktop computers and laptops. Some SSDs are built with full-disk encryption to support the most effective data encryption algorithm available today: the Advanced Encryption Standard (AES).
Evolution of encryption standards
The National Institute of Standards and Technology (NIST) adopted AES as a standard for government use around 20 years ago, but it’s been widely adopted by the private industry and has become the de facto standard worldwide. Organizations use AES to encrypt data at rest, such as data stored in SSDs, databases and other storage systems. NIST also reported that they use AES to secure online transactions to Wi-Fi networks, mobile apps, VPN implementations and much more.
How over-provisioning SSDs impacts performance
Get your free white paper on how over-provisioning of SSDs can improve memory performance. Download Now
NIST spent five years developing AES by collaborating with an international group of cryptography experts in both the private sector and academia. AES — which protects data using 128, 192 and 256 key lengths — replaced the antiquated 56-bit key Data Encryption Standard (DES), which the older model was developed in 1977 but was cracked in the late 1990s.
In fact, while AES was being developed, organizations strengthened DES as a stopgap solution. According to NIST, they turned DES into Triple DES, which bolstered DES by using three passes of the DES algorithm instead of one.
AES was initially intended to protect sensitive yet unclassified information, but today AES-128 is strong enough to secure classified information at the secret level, while the 192-bit and 256-bit key lengths can secure top secret information. While AES is two decades old, AES-256 is expected to be strong enough to secure data for decades to come, said Dr. Dustin Moody, a mathematician in NIST’s Computer Security Division in an interview with Samsung Insights.
New encryption standard in the works
AES and DES both implement a type of encryption called symmetric cryptography, where one private key is used to encrypt and decrypt data. While AES will meet security requirements now and in the near future, more powerful technologies such as quantum computers will be able to crack a different type of encryption called asymmetric cryptography, or public key encryption. This will make digital communications more vulnerable.
Asymmetric cryptography pairs one public key and one secure key to secure communications. Use cases include encrypting and decrypting email, securing a connection between an internal data center and a remote backup system, and enabling a citizen with a web browser to connect to a government website securely. The popular RSA algorithm is one example of asymmetric cryptography. Organizations often combine the security of RSA with the performance of AES to transmit data between two locations securely, such as transferring data over an HTTPS connection.
According to CNET, Experts say a quantum computer that threatens today’s public key encryption standards could possibly be built anywhere from five to 20 years from now. To combat the threat, NIST in 2016 began working with the international cryptography community to develop new algorithms for public-key encryption, digital signatures and the generation of cryptographic keys. So far, NIST has whittled 82 initial contributions down to seven final candidates. The organization hopes to finalize a standard by 2024.
While quantum computers will impact AES, they will not break it, Moody told Samsung Insights. In the near future, NIST will likely issue guidance to help organizations understand the impact of quantum computers on AES and other symmetric key algorithms. In that guidance, NIST may give timelines on when users should transition to longer AES key lengths, said Moody, who leads NIST’s Post-Quantum Cryptography project.
“We believe that AES will be secure for decades at least — with the caveat that new research discoveries could change this view,” Moody said. “It is generally agreed that doubling the key length will suffice to provide the same level of security as in the pre-quantum era. Thus, a user who is using AES-128 could switch to AES-256 to ensure the same level of security.”
Ramifications of not meeting encryption standards
Data breaches in government can disrupt operations, compromise sensitive data and put employees and citizens at risk of identity theft and financial loss. According to The Verge, the massive hack against the federal government in December 2020 compromised nine federal agencies, including the State Department, the Department of Homeland Security and the Pentagon.
In May 2021, cyberthieves hacked into the state of Alaska’s health department, which put residents’ information at risk, including their Social Security Numbers, financial data and medical history. The attack forced the state to take website services offline temporarily. Even as recent as this last November, the FBI’s email system was broken into, allowing hackers to send a fake cyberattack alert, according to The Washington Post.
Through the third quarter of 2021, government agencies nationwide suffered 55 data compromises that affected 2.6 million people, which ended on September 30th, according to the Identity Theft Resource Center.
How SSDs secure data
Encryption is one security measure that public sector agencies can use to protect their data from unauthorized access. Agencies that store their data in data centers and computers can use SSDs to encrypt that data using AES-256 encryption.
Samsung’s family of SSD storage for servers and computers not only supports AES-256 but also features hardware-based, self-encryption capabilities. Hardware-based encryption is faster than software-based encryption, so it doesn’t impact the performance of SSDs. And with the self-encryption feature, the data is automatically protected, so IT administrators don’t have to worry about users forgetting to encrypt their data manually.
Finally, when SSDs reach the end of their life and agencies need to dispose of the hardware, they can use Samsung Magician software to erase the data permanently and sanitize the drives.