Encryption myths debunked for federal agencies

At this year’s HPE Protect, a conference for security professionals, HPE Chief Technologist Terence Spies sat down with Greg Otto, managing editor of Cyberscoop Radio, to discuss five myths that federal agencies have to deal with when it comes to encryption. CyberScoop reaches top cybersecurity leaders both online and in-person through breaking news, newsletters, events, podcasts, radio and TV.

fivemythsTerence’s main mission was to dispel some myths about integrating encryption into legacy systems and explain why old systems should not scare away federal agencies from using new forms of encryption.

Myth One: Encryption will break my applications

Terence states that there are different ways to do encryption. Easy ways that won’t break your applications include using SSL (Secure Sockets Layer) or disk encryption for data in storage. The downside of those “easy” ways, continued Terence, are that those approaches won’t cover every need you have. When entities start encrypting the data itself, that is when applications tradiontally break. However, Terence pointed out there is tremendous upside to turning data into less risky forms. To do encryption right, Terence advocates a data-centric security approach, where data is encrypted in the same form or something that looks exactly like the original format so as to have little impact on existing applications.

Myth Two: Encryption is not enough on its own

Security has a lot of aspects, said Terence, and you are not going to just encrypt your data and suddenly be done. It is the same thinking that installing a firewall is all you need to protect your data. People get paranoid if they don’t understand the technology of encryption. Through decades of encryption development, states Terence, we have standards, and if companies use them, they will not fail. So you can’t just slap encryption on something, clarifies Terence, however encryption done right lets you be secure.

Myth Three: Encryption will slow down my apps

If you have to encrypt and decrypt every time you touch a piece of data, that will lead to performance problems, said Terence. Companies tend to put encryption in the way when they turn on encryption at the database layer and every operation that gets preformed on that piece of data is going to require encryption or decryption to happen. Format-preserving encryption (FPE) takes something such as a social security number, explained Terence, and transforms it with an encryption process to something that looks like and has the same characteristics of a social security number. Then entities can use that data in its encrypted form without needed to decrypt and that can be vital from a performance point of view. This helps with security, continued Terence, as the plain text social security number are never seen in the apps, and if an attacker breaks in, they will only see the encrypted text, never the real data itself. Federal agencies can use FPE to protect sensitive data in a persistent way, conclude Terence.

Myth Four: Encryption and Cloud don’t mix

Federal agencies are being pushed to the cloud and Terence stated that encryption can be a really big enabler for cloud. The risk is that entities are sending out their data to companies they don’t control, and could be susceptible to an external breach. We work with companies that encrypt the data and then send that data up to analytical applications in the cloud, said Terence.

Myth Five: New encryption tools aren’t going to work on legacy systems

Terence gave an emphatic answer that encryption is a motivating factor to move to the cloud. Big companies are not building apps from scratch, and have existing databases and other processes in federal agencies. Our tools allow data to be encrypted in the same format so agencies won’t have to retrofit their apps as the data will look like the original data, explained Terence. The data can pass through systems in its encrypted form instead of decrypted every time entities want to touch the data.

We see a number of large customers, said Terence, who have encrypted their data in such a way that those legacy systems continue to operate on that data without even knowing they are dealing with encrypted data.


Greg Otto concluded that just because you have old systems doesn’t mean new encryption is going to break things, slow things down, or force them to be unusable, as enterprises are moving to make sure their data is secure.

Listen to the complete pod cast here, or on the CyberScoop Radio site:

Find out more about HPE Format-preserving encryption.

Leave a Reply

Your email address will not be published. Required fields are marked *