The trifecta for secure data

Hackers, cyberterrorists and thieves are not the only ones from whom agencies need to protect their computer networks and data. As officials from the Department of Veterans Affairs can attest, critical information needs to be secured internally as well.

The theft of a laptop computer and disks containing personal information on 26.5 million veterans has led to an investigation as well as the resignation, dismissal and suspension of three VA officials.
IT security experts agree that a combination of technology and enforced policies easily could have avoided the national scandal.

"The expertise and technology exists to guard against this type of thing, but it requires investment on all fronts to make it work," said Matthew Gardiner, a senior product-marketing manger with Computer Associates International Inc.'s eTrust security team.

"Very simple mitigation, in this case, could have reduced the risk tremendously," he said, such as "requiring and forcing local data to be encrypted, so if a laptop is stolen, it would take a tremendous hacker to get at the data and use it. Most common criminals aren't that sophisticated."

Encrypting data that has been copied to a hard drive or some other media would be the first step to avoid a data breach such as the one at VA.

WinMagic Inc.'s SecureDoc products, for example, offer encryption for laptops and other devices, said Thi Nguyen-Huu, CEO of the Mississauga, Ontario, company.

"Today's technology for laptop encryption is a no-brainer. You don't have to learn anything new, you just have to enter a password," he said.

SecureDoc encrypts everything on a hard drive, including the operating system, applications and files. The user experience isn't much different than working on a laptop without encryption. Once the bios loads up, SecureDoc's screen appears and asks for a password.

"You can go with a password only, or you can go with a password plus a token" such as a smart card, said Jim Armstrong, WinMagic's national accounts manager. "We are also doing something with the State Department where they're using three-factor identification: a password, a token and biometrics."

If the laptop is lost or stolen, everything on it is encrypted and unobtainable. Even if the hard drive is removed and put into another Windows machine, an unauthorized person still can't get the data.

WinMagic can be pushed out to devices in an organization through the SecureDoc Enterprise Server that has a central console for key management, key recover and deployment of SecureDoc.

Concerns abound

Interest in protecting data better was on the rise at government agencies before the VA incident, Armstrong said.

"What happens when you have a major catastrophe like at VA, other agencies don't want to be the next VA," Armstrong said. "It has brought up to the forefront that this will be a big deal, that every laptop going out of a government agency should be looked at before it walks out the door."

Federal agency have policies regarding IT security, but how well those policies are followed vary greatly, said David Taylor, vice president of data security strategies for Protegrity Corp., a Stamford, Conn., company that offers enterprisewide data security management. "This shouldn't be surprising, not because VA is bad, but if you think of all the policies that exist ? and we all know that people largely ignore what they don't have to adhere to," Taylor said.

Rather than writing new policies, agencies should focus on enforcing the ones they have. In reality, software-enforced policies are the only ones that are truly effective. Systems integrators should look to use software as part of an enterprise data protection solution, Taylor said.

"What you want is a software policy that says Person X can access this data, on this platform, at this point in time, and any variation away from that policy has to be approved," he said.

Policies around e-mailing data should be scrutinized closely because, in most cases, the problems begin when information leaves a data center. That likely means implementing tougher access controls.
"What you find is people have extracted information from certain databases, and they've got files on laptops," Taylor said. "Home-grown applications have notoriously weak access controls."

Audits of where data resides are also important, since most government officials wrongly assume their data is in relatively few places. In reality, the data can be found in hundreds of locations.

Dave Kenyon, director of tape product management for Sun Microsystems Inc., Santa Clara, Calif., agreed that managing information leaving the data center is an essential part of a security policy.

"I was ushered into a customer's data center to talk about tape encryption, and there was a sign on the front of the data center that said 'Every time a visitor goes into the data center unescorted, all the security policies and procedures we put in place are null and void,' " he said. The sign drives home the fact that sensitive data must be kept in a secure place, or it has to be encrypted when it leaves the building.

Sun, for example, released a virtual tape storage product that has built-in encryption. Virtual tape is a disc system made to look to the operating system and host systems as a tape device. It provides a single point of management for all protected data automatically. Copies are made and stored in a secure data library.

"That's one of the design principals we're trying to push to customers, that over time, all these drives will automatically encrypt the information for you," Kenyon said. "There isn't a policy where you decide what gets encrypted; it all does."

Thin is in

Protegrity's Taylor said another effective way to control and manage data is to move to a thin-client model where data only resides on the network. Laptops and other devices have no local memory and have no ability to store data.

Sun's Sun Ray thin-client product is gaining popularity in the health care and education areas. Federal agencies concerned about data security might want to consider moving to a thin-client model, Kenyon said.

"I've got to believe other organizations, after the VA incident, are going to think about how they secure information on both ends of the network," Kenyon said. "The Sun Ray system is a great way to do it. How painful or how difficult the transition is depends on where their applications run today."
Sun Ray works with Solaris and Unix.

Ultimately, it will fall to systems integrators to design systems that ensure security, Computer Associates' Gardiner said. Agencies will have to commit to building the systems and finding the funds to pay for them.

"It's like a three-legged stool ? people, processes and technology ? to get the security right," Gardiner said. "We know how to mitigate these types of risk, the organizations just need to do it. They need to get their people trained, and they need to have their policies and processes. And they need to have the technology in place to enforce those policies and processes."

Staff Writer Doug Beizer can be reached at dbeizer@postnewsweektech.com.