Government IT - The Data Debate
By Guy Helmer, AVP, DLP Development, Absolute Software
Guy Helmer, AVP, DLP Development, Absolute Software
Information security challenges and government IT seem to go hand in hand. Nowhere is there a more regulated space within which IT must work to protect large amounts of sensitive data and guard against security incidents that may put the data (and the organization) at risk.
Couple this with the budgetary restraints and ever-diminishing resources most government agencies face – and the challenges to IT can seem insurmountable.
The early years of my career were spent at a public university where I worked on IT projects with state agencies that were involved in federal programs. So I am no stranger to the complex information security challenges IT encounters within the government sector.
Today appropriate security to prevent leaks of confidential information remains top-of-mind. Numerous unfortunate data losses from state and federal agencies over the past several years have served to reinforce industry concerns and prompted me to share my experiences to promote the security of government data.
It’s important to note that many government agencies work with confidential personal information – be it academic, financial or medical. So protecting this data is not only of legal and regulatory concern, but also a matter of good stewardship.
It’s All About the Data
In the days of the mainframe and hard-wired terminals, it was much easier to identify data that was in use, by whom, where it was stored, and how data was archived.
With the advent of mobility,PC, laptop, and ultra-portable devices such as tablets and smartphones have “democratized” access. As a result, data usage – often anywhere, anytime, by anyone – and the security landscape, have become much more complicated.
Over the years I’ve found that employees can be very creative in terms of how they access and use data – often in ways that would horrify management if only they were aware.
I’ve seen numerous examples of employees “getting the job done” by using data in unexpected ways – such as confidential data transmitted via clear-text email attachments to other agencies – examples that simply beg for better oversight and protection.
Government Data Best Practices
In today’s IT environment, managers need to track:
• What data is in use
o Content discovery tools can help
• Where data is stored over its lifecycle
o Not only online, but backups and archives
• Who uses the data
o Appropriate access controls must be in place with usage monitored
With an understanding of these data security parameters, managers can prioritize security improvements for specific data and/or systems based on highest risk.
Government Data Protection
Encryption: For today’s mobile workforce, encryption of data at rest (stored in files) and data in motion (traversing the network) has become a fundamental security control. Windows BitLocker and Mac OS X FileVault are among the tools commonly used to encrypt data on laptops. SSL VPNs can help ensure security of data accessed over the network regardless of location.
Inventory: An inventory of devices (laptops, workstations, servers) is important, along with respective owners, knowledge of the data on each device, and – most importantly – up-to-date records for all of this. Device security technology exists to help maintain and preserve inventory, determine when a device has gone missing, and to assist in relocating it. The same technology can also provide file retrieval and delete services if a device is unlikely to return.
Lifecycle management: Devices that are no longer in service must be appropriately taken out of service, including end of life protocols to ensure no data remains on a device after it has been decommissioned.
Data Monitoring: Monitoring data-at-rest and data-in-motion with content-aware data loss prevention systems ensures up-to-date insight of who’s using what data and where that data resides. Complete content-aware data loss prevention solutions can discover where confidential data resides, uncover any surprises, and manage transfers of data via removable media, email and web services.
Network Usage: Employees visiting “sketchy” websites are often a major source of malware infections. Implementing a reasonable network acceptable use policy and enforcing it with a web management solution not only improves bandwidth utilization and reduces time spent on unproductive activities, but can also block employees from accessing sites that could be loaded with dangerous malware.
What the Future Holds
Cloud services: The growth of SaaS services has raised interesting challenges for IT security managers. File services such as Dropbox, SkyDrive, and Google Drive allow users to easily move between laptops, tablets, smartphones, and even the office PC so they can review, edit, and share documents whenever and wherever the need arises. Free email services like Gmail and Outlook.com allow users to avoid the restrictions and policies of corporate email systems.
Social Media: Government employees often have privileged access to confidential data for people of interest, and the temptation to share information on social media sites can be strong. Include appropriate social media activity within your acceptable use policy.
BYOD: Many government agencies have existing policies that seem to discourage employees from bringing a self-owned device to work. However, in many instances employees may be using their own devices for work-related tasks regardless of the rules. And if current trends are any indication, BYOD will continue to grow. Keep an open mind and stay current on the supporting processes and technology. You may find yourself supporting a BYOD policy sooner than you anticipate.
There are plenty of useful products and technology on the market that government agencies can implement to properly secure data – including budget friendly options for organizations with limited resources.
But as with any security protocol, the devil is in the details. Simply deploying a data monitoring, encryption, or other data security option isn’t enough.
If you take the time to understand your users and your data, you can build a strategy that supports your reality. This insight will allow you to select the most appropriate path and the necessary infrastructure so your organization can become good stewards of the data you’re entrusted to protect.