Data protection is on its way

There is no magic bullet for executive branch requirements for protecting personal data being accessed and downloaded by government employees. But pieces of the puzzle are coming into place.

Spurred by high-profile losses of computers containing sensitive data, the Office of Management and Budget this summer reminded agencies that they had to have in place by Aug. 7 policies and tools to ensure the safe handling of data and the devices they reside on, a deadline that few of the officials attending the Microsoft Security Summit East in Washington this week said they have met.

Attendees at the conference were briefed on the capabilities and limitations of some of Microsoft's data protection tools, including role-based access controls using Active Directory, Encrypting File Systems and the Rights Management Server. These products provide some levels of protection today, but security-minded administrators may have to wait for the release of the Windows Vista operating system to get the really good stuff, such as Bitlocker.

"To me, it's the coolest feature in Vista," said Kurt Dillard of Microsoft's federal government division.

Bitlocker is a drive encryption tool that will provide a more comprehensive layer of strong encryption for PCs.

Vista is not scheduled to be released until next year, but the British Ministry of Defense already has decided that Bitlocker provides an acceptable level of security for non-classified data on laptops, said David Longhurst, recently retired information adviser at the Ministry of Defense.

"That will save me about 1,000 pounds per laptop," Longhurst said.

MOD is only about one tenth the size of the U.S. Defense Department, but it is operating in 20 theaters around the globe, from the Falklands to Iraq, and it is facing the same needs to become more flexible and responsive while maintaining security as DOD. It is modernizing its infrastructure to replace more than 1,500 separate systems with a single backbone and consolidate some 5,000 applications into a single suite.

"We came to the conclusion that everything needed to be encrypted," Longhurst said. Most MOD use Microsoft products, and beta evaluations of Vista showed that it filled the bill for unclassified data.

Vista, which chief Microsoft security strategist George Stathakopoulos called a "fundamentally secure platform," is the latest product of Microsoft's evolving culture of trustworthy computing.

The company's trustworthy computing initiative grew out of what Stathakopoulos called "a series of unfortunate events" that plagued the company since 1997. Vulnerabilities, exploits and worms damaged the company's reputation and forced the development of systems and processes to improve security. A corporate cycle of crisis and response has pushed security concerns further back and deeper down in the software development process. Vista will boast added layers of security and is undergoing extensive penetration testing before release.

Existing Microsoft technology can help in data protection, but all fall short in some areas, Dillard said. Access control lists are effective against online attacks, "but anybody with physical access to the machine will be able to bypass ACL."

Access controls can be extended with the Rights Management Server; a collaboration security tool that lets users set policies for accessing and using files. "The ACLs stick to the file wherever it goes, but end users can get around it" with screenshots and other methods of copying data, Dillard said.

Encrypting File Systems, added to Windows Server 2000 and Windows XP, provides file-by-file and folder-by-folder encryption, but only protects files from Microsoft applications and only while at rest. It is password protected, and "EFS is only going to be as secure as the user's password," Dillard said.

Bitlocker is a more comprehensive tool that can prevent tampering with the operating system and will support multiple factors of authentication with a USB device. But Bitlocker will require a Trusted Platform Module chip in the client PC to operate.

"That's going to be a blocker for some customers in the first months of deployment," Dillard said, He advised users to begin making plans now to include TPM in hardware acquisitions.

For the time being, EFS is good, but coupling it with RMS and policies on downloading data will make it stronger.

William Jackson is a staff writer for Washington Technology's sister publication, Government Computer News.