Security

Create a Data Cocoon

A layered data security approach can pave the way for transformational change.

Dennis Heretick, former chief information security officer for the Justice Department, now consults with agencies on security and IT infrastructure.

The new administration has issued a clear mandate for change within government. Success depends on a strong IT foundation that will support transparency, which hinges in part on the ability to rapidly communicate sensitive data while protecting that information from unauthorized access.

Even with successful access controls and hacker-proof network security, it is still far too easy to inappropriately e-mail sensitive data, print financial documents, copy private information onto a portable USB drive or worse. Here are five actions you can take to build a foundation for an effective data protection program:

1. Take an enterprise approach to encryption.

End-user training is essential, but don’t depend on users to secure data. Many users view security as the IT department’s responsibility. They put mission needs first and expect the IT department to ensure information security is transparent to their need for access — anywhere, anytime. To counter this, use end-to-end and stored-data encryption.

2. Encrypt all endpoints.

Consider carefully all notebook computers and USB drives. Encryption technology allows secure portable storage and ensures that files remain encrypted wherever they are transferred. Having convenient two-factor authentication, such as a thumb swipe and a password, is important to securing access. It is equally important to have an enterprise-grade endpoint solution integrated with the overall security architecture. Point solutions that require intensive administration can quickly become too costly to administer.

3. Use device control technology to centrally manage removable storage devices.

The central control console should provide device and content-based filtering, while monitoring and appropriately blocking confidential data transfer to any removable storage device.

4. Establish a data loss prevention (DLP) program.

Powerful DLP technology uses a central console to protect information assets regardless of how that information is stored, secured or communicated. The DLP program needs to provide comprehensive information protection across three areas to truly secure data across the enterprise:

• Data in motion. A network scanning system should be deployed at the network perimeter to inspect incoming and outgoing traffic and to accurately identify information security violations.

• Data at rest. A vital security component deployed in the local network should connect to and inspect the contents of notebooks, desktops, servers and information repositories and then identify sensitive data and arm the systems to protect it.

• Data in use. An agent deployed on the user desktop or notebook must provide information protection (whether the user is on the network or off the network) through any input/output channel that presents an information security risk.

5. Set expectations, be clear about vulnerabilities and prioritize risks.

Although powerful tools exist, none can make all data completely secure. It is important that all stakeholders within an agency understand each tool’s capabilities. Agreement is needed on the steps required to prioritize data to be protected and incrementally implement capabilities to monitor, alert, provide content protection and generate compliance reports.

Classified Security at Hand

In government, BlackBerrys have become part of the foundation for wireless data security. A reason for their proliferating use within agencies is their enterprise management capabilities for end-to-end encryption, stored data encryption and access control.

Password authentication is made mandatory through the customizable IT policies of the BlackBerry enterprise server. By default, password authentication is limited to 10 attempts. Be careful — the device will erase the memory automatically after the 10th unsuccessful attempt.

It is then not just a matter of calling the system administrator to reset the password. Your smartphone is now useless and will have to be replaced. Users need to know this so they don’t keep trying the wrong password.

A great access control improvement is two-factor authentication using a smart-card reader. The smart-card reader hangs around the user’s neck, holds the smart card and has a wireless connection to the BlackBerry. An option for a physical connection for additional security is also available.