Feb 06 2009

Create a Data Cocoon

A layered data security approach can pave the way for transformational change.

The new administration has issued a clear mandate for change within government. Success depends on a strong IT foundation that will support transparency, which hinges in part on the ability to rapidly communicate sensitive data while protecting that information from unauthorized access.

Even with successful access controls and hacker-proof network security, it is still far too easy to inappropriately e-mail sensitive data, print financial documents, copy private information onto a portable USB drive or worse. Here are five actions you can take to build a foundation for an effective data protection program:

1. Take an enterprise approach to encryption.

End-user training is essential, but don’t depend on users to secure data. Many users view security as the IT department’s responsibility. They put mission needs first and expect the IT department to ensure information security is transparent to their need for access — anywhere, anytime. To counter this, use end-to-end and stored-data encryption.

2. Encrypt all endpoints.

Consider carefully all notebook computers and USB drives. Encryption technology allows secure portable storage and ensures that files remain encrypted wherever they are transferred. Having convenient two-factor authentication, such as a thumb swipe and a password, is important to securing access. It is equally important to have an enterprise-grade endpoint solution integrated with the overall security architecture. Point solutions that require intensive administration can quickly become too costly to administer.

3. Use device control technology to centrally manage removable storage devices.

The central control console should provide device and content-based filtering, while monitoring and appropriately blocking confidential data transfer to any removable storage device.

4. Establish a data loss prevention (DLP) program.

Powerful DLP technology uses a central console to protect information assets regardless of how that information is stored, secured or communicated. The DLP program needs to provide comprehensive information protection across three areas to truly secure data across the enterprise:

• Data in motion. A network scanning system should be deployed at the network perimeter to inspect incoming and outgoing traffic and to accurately identify information security violations.

• Data at rest. A vital security component deployed in the local network should connect to and inspect the contents of notebooks, desktops, servers and information repositories and then identify sensitive data and arm the systems to protect it.

• Data in use. An agent deployed on the user desktop or notebook must provide information protection (whether the user is on the network or off the network) through any input/output channel that presents an information security risk.

5. Set expectations, be clear about vulnerabilities and prioritize risks.

Although powerful tools exist, none can make all data completely secure. It is important that all stakeholders within an agency understand each tool’s capabilities. Agreement is needed on the steps required to prioritize data to be protected and incrementally implement capabilities to monitor, alert, provide content protection and generate compliance reports.