Aug 02 2011

NASA Revamps Data Protection Strategy

Space agency does comprehensive risk assessment to ensure proper information protection.
by

Sandra Gittlen is a freelance journalist and a regular contributor to the CDW family of technology magazines.

In its December audit of the space shuttle program, NASA’s Office of Inspector General (OIG) concluded that a serious potential for data leakage existed. Although some CIOs likely would have cringed at the report, Goddard Space Flight Center CIO Adrian Gardner considered it the perfect opportunity to identify and correct problematic data protection processes.  

“The OIG made it very clear that if we did not take action, there would be a possible situation where data loss could occur, so we’re taking action,” Gardner says. The OIG expressed concern about inadequate data protection policies at the center level and a lack of communication between the sanitization and disposal teams in IT and property management.

A Team Approach

NASA quickly assembled a team to examine people, processes and technologies at the agency’s nine centers and its Jet Propulsion Laboratory. “What we ended up finding was that there were significant challenges beyond policy and awareness,” Gardner says. “We had to revamp our whole data protection strategy.”

What the agency needed was a top-to-bottom risk assessment regarding the lifecycle of every system, including those embedded within aircraft and associated robotics, retail support, finance and the overall network. “We definitely realized we needed a deeper dive than even they suggested. They were on point, and we used it as a catalyst to drive change for future NASA projects,” he says.

As they dug through these systems, looking for sensitive data, a light bulb went off. They had been operating under a sensitive versus not-sensitive view of data when there were clearly gray areas to consider.

“Saying every piece of data in the shuttle program is sensitive is not a correct stance because there could be some that isn’t. We can’t apply a pure destruct model,” Gardner explains.

This is particularly true because as the shuttle program is phased out, it often finds life beyond NASA. Rather than being disposed, mission equipment is often sent to space centers as exhibits, reused for other NASA purposes and donated to schools to support education. These are the systems that go through the sanitization process to remove all sensitive data.

Color Schemes

Gardner and the team decided that they had to implement a sensitivity scale: red systems, those containing highly sensitive data, would be destroyed; yellow, systems that might have housed protected data such as personally identifiable information, would be reviewed; and green would be deemed safe to repurpose outside of NASA to schools and other outside institutions.

Once security leaders and other data managers had this chart in mind, they looked at actual processes and saw a glaring flaw. Data was being labeled as sensitive or not at the end of a system’s lifecycle by the disposal, sanitization and property management teams — not the data owners.

Gardner says the risk assessment report, which was circulated for review in April and is expected to be finalized shortly, clearly states that data must be assigned a color code at its inception by the creator or an agency policy. The team plans to enforce this among the 40,000 federal workers and contractors that interact with the agency. Already, language to this effect is being inserted into new contracts.

To ensure these policies are followed, Gardner also hopes to deploy data loss prevention (DLP) software. He considers this the next phase of the effort, after NASA has approved the risk assessment findings.

DLP software can be deployed at the endpoint, such as a notebook or desktop, or within the network to detect and manage sensitive data at rest and in motion. Based on predetermined settings, data can be erased or quarantined as the IT staff and users are notified.

This technology, in conjunction with end-user training, will give greater visibility and control over where data resides and how it is treated throughout its existence, Gardner says. It will facilitate a common approach towards assessing data’s potential for loss among user communities and sectors.

In a way, Gardner is thankful for the OIG report. “By going through this exercise, NASA is in a much better position to address our challenges and get data protection right,” he says.

Tips for Getting DLP Right

When starting a data leak prevention project, take it one step at a time, advises Eric Ouellet, research vice president at Gartner.

Too many organizations get “click-itis,” he says, and they enable all data leakage or loss policies, and then end up with too many false positives. A document containing a number format similar to that of a Social Security number might catch the attention of the DLP tool unnecessarily.

“Start with three policies, or four, max,” Ouellet suggests. “Start with what’s most egregious and work from there. Take six months or so and learn the solution, and learn about your data.” He recommends that agencies use the government’s data classification scheme to organize and prioritize data.

And, he says, DLP shouldn’t stay solely in the hands of IT. When it comes time for a decision on whether an event was inappropriate, or whether it was simply a DLP misconfiguration, the program side should take care of that, he says, not the security team.

DLP can also help an agency learn more about its own processes, as well as the documented and undocumented policies that an agency uses each day, Ouellet says. — Christine Cignoli

Related Articles

Close

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT

Subscribe Now