Federal Certification for Encryption Software Could Help Government Use Legacy System Data, HPE Says

Hewlett Packard Enterprise has won a first-of-its-kind validation for format-preserving encryption.

by / April 14, 2017

Hewlett Packard Enterprise (HPE) has won a first-of-its-kind federal certification for a cybersecurity scheme that could help state and local governments work more with data in legacy systems.

The company has received the Federal Information Processing Standard (FIPS) 140-2 certification for the part of its SecureData package that deals with format-preserving encryption. That means a third-party laboratory has validated that the security setup meets strict standards the federal government relies on when buying technology from vendors. In this case, HPE is the first company to get FIPS certification for format-preserving encryption software.

Many state and local governments have also adopted FIPS for cybersecurity purchases.

“The way to think about it is it’s kind of like a gold standard,” said Mark Bower, HPE Data Security’s global director of product management. “It lets an organization know that it’s been validated by a standards body like NIST [National Institute of Standards and Technology].”

Format-preserving encryption, or FPE, is a cybersecurity scheme developed in the 2000s that lets users encrypt data in a way that mimics the original way it was encoded. So if a government IT worker were to encrypt, say, a Social Security number using FPE, they would end up with a nine-digit string with different characters than the original. Then they could use it in any processes where the number doesn’t need to be decrypted.

That might be of particular importance for a lot of state and local government agencies, since many rely on old IT systems that accept data in rigid ways. By preserving the format of data while retaining the security of encryption, Bower reasons, they will be able to use legacy systems for more than they otherwise might have.

“If you think about legacy environments, and they’re often called mission-critical systems, they’re often at the heart of business processes, and they were often built 10, 20, 30 years ago. It’s tough to upgrade those if you have to pull those apart and re-engineer the databases,” he said. “That’s what we avoid.”

At the same time, the scheme lets users do their work without storing sensitive data like Social Security or credit card numbers. That eliminates a broadside hackers might attack.

“If an attacker gains access to [a citizen’s] information, you haven’t revealed their identity,” Bower said.

HPE also boasts that SecureData is an end-to-end solution; that is, it’s designed to protect data whether it’s sitting in a silo, transmitting between systems or entering another piece of software. According to Bower, it preserves relationships between data as well. So if, for example, a case worker needs to access several details from a beneficiary’s file, they can do so while preserving encryption.

Finally, the package is designed to work with third-party software. That means other vendors serving government could work the federally certified cybersecurity modules into their own services — for example, Teradata has integrated SecureData into its offerings before.

Ben Miller Staff Writer

Ben Miller is the business beat staff writer for Government Technology. His reporting experience includes breaking news, business, community features and technical subjects. He holds a Bachelor’s degree in journalism from the Reynolds School of Journalism at the University of Nevada, Reno, and lives in Sacramento, Calif.