Best Practices for Protecting Stored Information

SPECIAL REPORT: Storage Management


By Barbara DePompa, 1105 Government Information Group Custom Media

As the government's interagency team responsible for data encryption rolls out alterations to existing technology contracts to add tougher security standards for removable storage devices, industry standards organizations and storage arena experts offer best practices advice on how best to protect stored information.

The reason: while federal IT organizations have worked diligently to apply security protections to servers and PCs, data stored on these systems has often been left unprotected. Unfortunately, this has led to damaging breach situations related to lost or stolen laptops, for example. Secure storage options are available, but most federal organizations are still working to broaden the implementation of such technology. This is why, industry observers maintain, secure access controls, along with device-level encryption and automated backups are considered important steps to securing stored information against a range of loss or breach scenarios.

According to industry observers, strong data protection includes four primary elements:

*
Strictly enforced security and privacy policies for collecting, using and storing sensitive information.

*Strong encryption when storing information on all computers.

*Limited access (again, via proper policies) to secure sensitive information.

*Careful purging of old or outdated sensitive information, wherever possible.


Currently, more than ten IT contracts used to buy software that encrypts information on mobile and removable storage devices, such as thumb drives and CD-ROMs are being altered to include anti-malware protection, under a new policy from the Department of Defense's Information Assurance Program and Data-at-rest Tiger Team. This group manages 12 blanket purchase agreements in partnership with Defense's Enterprise Software Initiative and the General Service Administration's Smartbuy program, and also provides acquisition services to state and local agencies.

Improvements in anti-malware protection to be incorporated in removable storage devices would include the ability to run an internal scan that checks a mobile or storage device for malicious code and deletes it. Another enhancement would disable a read-only mode that locks data on a device whenever it's attached to an unauthorized computer. The team is also working on policy improvements to meet stricter encryption requirements, including the incorporation of encryption key management for removable storage devices. Encryption key management allows administrators to control who can decode information on an attached
storage device. The BPA contract modifications for removable storage management will be added as part of normal technology refresh and upgrade processes, according to news reports.

Meanwhile, the Trusted Computing Group (TCG) is actively promoting a set of newly minted security specifications, targeted directly at storage management, primarily to give storage industry suppliers guidance on how to deliver devices with greater protections built-in. Hardware devices that conform to the TCG's storage specifications will help eliminate the unacceptable misuse of information on mobile, server and even data center storage devices. For example, self-encrypting storage devices that meet the TCG's specifications were rolled out in March to lock-down data automatically in less than a second. These devices can also be immediately and completely erased in milliseconds. Self-encrypting drives deployed in many government environments, especially on laptop computers, for example, would enable agencies to encrypt an entire drive's contents, providing strong protection of encryption keys combined with strict access control, TCG officials reported.

TCG's Storage Work Group rolled out the storage management specs, known as the Opal Security Subsystem Class Specification for PC clients and the Enterprise Security Subsystem Class Specification for data center storage, in late January. Details are available at www.trustedcomputinggroup.org/groups/storage/.