Stacey McDaniel
Data loss isn't a problem that's restricted to a single agency. Rather, it's a government-wide concern. Data loss represents a persistent and omnipresent threat to the vital electronic records that our country relies upon to operate.
A House Government Reform Committee report found that 19 federal agencies have reported at least one loss of personally identifiable information since January 2003. It is worth noting that the vast majority of data losses arose from physical thefts of portable computers, drives and disks, or unauthorized use of data by employees.
Here are just a few of the incidents that involved mobile devices and related hardware:
- May 2007: The Transportation Security Administration investigates the possible loss or theft of an external hard drive that contained the payroll data of about 100,000 current and former employees.
- May 2006: The Department of Veterans Affairs announced that a laptop containing the personal information of approximately 26.5 million veterans and active duty members of the military was stolen from the home of a VA employee.
- April 2006: The Department of the Treasury learned that an IRS employee laptop containing 48 corporate taxpayer records and four individual taxpayer records had been stolen.
- March 2006: The Department of Defense confirmed the loss of a thumb drive containing personal records on approximately 207,570 enlisted Marines who served between 2001 and 2005.
Easy to use...and to exploit
Portable devices, like laptops, PDAs and handhelds make it easier for government employees and contractors to perform work outside of the traditional physically secure office environment. However, the portable and lightweight nature of these devices also makes them an attractive target for theft. Not only that, but because they are designed for employees to access the network remotely, these devices also offer an easy path into the network for unauthorized users.
Three-pronged approach
So how does an agency protect data that is being accessed by an assortment of endpoints from a variety of locations? The answer is not just about data security, but also endpoint and network protection:
- Protect data infrastructure: IT needs to implement security procedures that protect critical data inside network boundaries, while ensuring the security policies regarding data use are enforced, regardless of where the data is being accessed from. Security measures shouldn't interfere with keeping applications and the infrastructure reliable and responsive. Keep operations as simple and as standardized as possible -- backups should be centralized and metrics can be used to help resolve problems and restore performance quickly.
- Secure mobile devices: More government employees than ever are teleworking and even more use mobile devices on an occasional basis to perform work-related functions from outside the office. That is why it is so crucial that agencies ensure that mobile devices used to store, transfer and process data are secured. This includes protecting the data from unauthorized use, should the device be stolen or lost. Endpoint security solutions are available that will keep the devices compliant with the agency's security policies and up-to-date with the latest security features.
- Safeguard data transfer: This requires a layered approach that stops potential threats from appearing at network gateways, via end users, or at archiving and storage systems. The solution should enable all relevant email messages and data transfers to be delivered and stored in a secure (and accessible) location. The overall solution will also include anti-spam, fraud, virus, and spyware protection, as well as threat protection software enabled for all network tiers across all mobile devices.
Conclusion
Once an agency is confident that its data infrastructure is secure and those who access it will not pose undue threats, other goals can be achieved. These goals include increased inter-agency sharing, a more realistic continuity of operations plan (COOP) and the opportunity for more employees to telework. Achieving data security in a mobile environment requires a comprehensive, agency-wide effort. Employees must be educated on the proper use of devices and safe practices and the data infrastructure must be secured at all levels, down to the devices that connect to it.
Stacey McDaniel has been writing about high-tech issues for more than six years.