Aug 20 2012

How Agencies Keep Mobile Data Safe

Encryption technology protects data on notebooks and other mobile devices.

When news broke that a Veterans Affairs Department notebook computer and external hard drive that included personal information for more than 26 million veterans were stolen in 2006, many federal agencies sat up and took notice. A month later, the Office of Management and Budget issued stringent new security policies that included a mandate to encrypt all data on notebook or handheld computers unless the data was classified as nonsensitive by agency leaders.

That mandate pushed the Census Bureau, like many other agencies, to adopt full-disk data encryption standards for its notebook computers. By early 2007, every Census agency notebook issued to employees was equipped with full-disk encryption. Today, that’s 960 notebooks for headquarters staff and more than 6,000 for field employees and teleworkers.

“Our field reps conducting surveys around the United States have to comply with Title 13, which protects citizens’ and businesses’ private information, and our administrative staff and teleworkers always have to be careful about personally identifiable information,” explains Mark Markovic, assistant division chief for customer support in the Census Bureau’s LAN Technology Support Office.

To access their hard drives, employees enter a user ID and password; the hard drive stays encrypted. The Census Bureau also has policies in place to regulate what information may be downloaded or removed from the hard drive.

Protecting sensitive data is one of the main reasons that organizations implement endpoint encryption, says Eric Ogren, CEO of the Ogren Group.

“If you’re going to implement an endpoint encryption solution, look for a product that is transparent to the user, impossible for individual users to disable, and doesn’t frustrate users who need quick access to data,” he advises.

Officials at the Federal Deposit Insurance Corp. were similarly affected by the mandates that came out after the data breach at Veterans Affairs. Russell Pittman, CIO and chief privacy officer of the FDIC, first tried file-based encryption in an effort to avoid problems with employees attempting to remotely access their computers from home.

“We were trying to avoid full hard-drive encryption, because if they turn off their notebook before leaving work or it is rebooted, they can’t access it and work remotely,” Pittman says.

After using the file-based encryption for about six months, however, it became clear that it wasn’t protecting data adequately. Instead of depositing files in an encrypted folder, employees testing the file-based encryption would sometimes inadvertently save data on a desktop or make a new, unencrypted folder.

Because security trumps convenience, the agency moved to full-disk encryption. Today, every one of the approximately 12,000 notebooks used by agency employees must comply with a policy to automatically encrypt the hard drive using the FIPS 140-2 algorithm.

The percentage of organizations that have lost data during the past 12 months as a result of the use of insecure mobile devices

SOURCE: “Global Study on Mobility Risks” (Ponemon Institute, 2012)

“Unlike file encryption, where people could get to the hard drive and try to run things against the encrypted partition, nobody can access the hard drive without the right credentials when you’re using full-disk encryption,” Pittman says.

As for the Census Bureau, a plan is already under way that may relegate full-disk encryption to the back burner. The agency is in the midst of a virtual desktop infrastructure implementation, which will allow employees using any computing device to access files and applications from a private cloud, while prohibiting them from storing data to those devices.

“We’re rolling it out to field personnel now, and it’s also our solution for teleworking,” Markovic says.