Mar 10 2011

Total Encryption

Data encryption is now a necessity for many federal IT organizations.

Security and privacy are always critical issues for the federal government, especially at the Centers for Medicare and Medicaid Services (CMS), which makes payments of $700 billion a year to 100 million Americans.

“That’s roughly 20 percent of the federal budget,” says Ryan Brewer, the chief information security officer for CMS. “And we’re dealing with citizens’ private personal health and financial information, which is a huge responsibility.”

For more on security, check out the latest FedTech e-newsletter.

CMS has a two-pronged approach to protecting data. For data contained within the CMS network of 4,700 workers, it relies on Check Point’s Pointsec full-disk encryption, which sits on each employee’s notebook computer. Pointsec automatically encrypts hard drives and all removable media with extremely strong encryption algorithms.

For data CMS sends to external research and academic institutions, the organization goes one step further. It uses PKWARE’s SecureZip to encrypt the data locally and send it securely to external entities. Once received, the recipient can download a free decrypter from PKWARE to securely decrypt the data.

CMS is on the right track, says Michael Spinney, senior privacy analyst with the Ponemon Institute, a security research group. In fact, a recent report on encryption by the institute found that more than 90 percent of organizations now believe that data protection is either a “very important” or “important” part of their risk management efforts, rising significantly from previous surveys.

“There was a point in time when device encryption may have been good enough, but that time has passed,” Spinney says. “With devices getting so small, people becoming so mobile, electronic communications so pervasive and hackers becoming so good at what they do, encryption at the data level is a critical piece of the security solution.”

At the State Department, data encryption is a more recent focus. Previously, the agency focused on encrypting portable devices such as notebooks and flash drives.


The average cost of a breached data record
in the United States

Source: Ponemon Institute

“These days, we’re dealing with things that traditionally haven’t been in the national security realm, but in the realm of sensitive, personally identifiable data,” says Alan Herto, the State Department’s director of systems integrity.

For some of the 3,000 notebooks it protects, the State Department uses WinMagic SecureDoc, a full-disk encryption product that works on all Microsoft operating systems as well as Mac and Linux platforms. WinMagic is implemented at the boot level, which means users must have the password to get the hard drive up and running.

For removable media, the State Department takes no chances, using only IronKey secure encrypted USB flash drives. “If they are taking data off of one of [the State Department’s] desktops, they have to use one of these flash drives, which are automatically encrypted,” Herto explains.

But data encryption is just one part of the solution, he adds. Creating ironclad security requires much more, including following proper security protocols and keeping your eyes open, Herto says.