Over the past few years, the State Department has been watching data leakage incidents among other federal agencies stack up. After an internal risk assessment clearly showed that the State Department had the potential to be next, the agency turned to data loss prevention (DLP) tools.
“We looked at the data breach at the Department of Veterans Affairs and other headlining incidents and quickly realized we didn’t want to be in the same position. That led us to DLP,” says Gary Galloway, deputy director of the State Department’s Office of Information Assurance.
DLP is software that can be deployed at the endpoint, such as a notebook or desktop, or within the network to detect and manage sensitive data, both at rest and in motion. Based on predetermined settings, the data can either be erased or quarantined as the IT staff and users are notified.
“In the past, DLP technology was targeted at very well-funded financial, government and healthcare institutions because it was considered cutting-edge security,” says Phil Hochmuth, program manager for security products at research group IDC. “That has changed as the technology has become more affordable and more organizations need this granular level of protection.”
Hochmuth considers the growing number of federal, state and industry compliance mandates to be an equally important driver for increased interest in DLP among federal agencies.
“Almost every organization now has to be careful about inadvertent transmissions via e-mail or file transfers of sensitive data [for which] they may face fines, legal repercussions or reputational damage,” he says.
In addition to the risk assessment’s vulnerability findings, the State Department received word from the Office of Management and Budget that personally identifiable information (PII) must be protected. Using available funds from the American Recovery and Reinvestment Act, Galloway led the effort to acquire Symantec’s Data Loss Prevention software and this summer plans to begin a pilot.
Before moving forward, the department’s chief privacy officer gathered all of the agency’s staffers who manage important data to nail down a definition for sensitive data. Galloway says it can be confusing, as even unclassified data can be sensitive.
“At the State Department, the vast majority of our employees are cleared at a top secret level and, therefore, need the highest protection for their personal information,” he says. “Any one or two pieces of information about them that are leaked out could lead to a national security incident.”
At this point, Galloway plans to discover where data already exists as well as monitor and automatically enforce policies on data in motion across the network. Eventually, he plans to extend DLP efforts to data at rest and the endpoints themselves. “We want to start slow so we can gauge the size and scope of the effort,” he says.
Galloway chose the Symantec software in part because it uses the manufacturer for network access control and other security tasks. The agency hopes to manage all security efforts from a single console to ease management and speed response times.
Hard at Work
At Commerce Department headquarters, DLP is already hard at work ensuring that e-mail carrying PII and other critical data can’t leave the organization. Although CIO Simon Szykman didn’t say which software the agency uses, he did say it’s an appliance that monitors e-mail traffic.
“We believe the most common mechanism for an accidental leak here at the Commerce Department is via e-mail, so that’s where we’re targeting our efforts,” he says.
The amount the U.S. Veterans Affairs Department paid to settle a class-action lawsuit that stemmed from the 2006 theft of a notebook containing data about more than 26 million veterans
“Any type of protections either have a cost associated with them or create obstacles to transmitting and communicating information,” Szykman says. “We don’t want to spend money or slow productivity for things that don’t need to be protected.”
In addition to the OMB’s PII mandate, the Commerce Department also follows other compliance regulations. He admits that sometimes the DLP blocking results in false positives, but “it’s better to have those than a real case of lost data.”
When an e-mail is stopped, users receive an automated message explaining why and how they can get their message released. This is paired with awareness training on the options for securely sending e-mail and attachments such as encryption.
The key to DLP success, according to Szykman, is to pull in data owners at the start and educate them as to what information is sensitive to the organization. “There is no cookie-cutter answer — each agency has to assess its own mission,” he says.