With encryption effort, Education built on others' work
The Education Department is the first agency to use the government’s new Personal Identity Verification smart identification card for signing on to laptops and decrypting data on their hard drives. But the department did not tackle the challenge alone. Agencies don't need to reinvent the wheel for every information technology program, said Phillip Loranger, the department's chief information security officer.
When faced with a challenging program, “look around and see what the rest of the country is doing,” Loranger said. “The chances are some people already are doing a part of what you are trying to do. There are very few programs that are doing something that nobody else has done before.”
Education put together a team of department and vendor personnel to design its new system to protect sensitive data on mobile devices with full-disk encryption. They found others who already were working with PGP encryption, PIV cards and Microsoft’s Active Directory. “But nobody had done all three,” Loranger said. However, their individual experiences helped in integrating those elements.
PGP found that although it is not difficult to write interfaces for smart-card drivers, testing a system to work with all available drivers is a challenge. Nothing works out of the box in the complex environment created by smart cards and readers provided by different manufacturers, said company CEO Phillip Dunkelberger.
Even when the environment is not complex, the result must be easy to use and beneficial to users and administrators to be effective.
“The security guy can’t do it by himself,” Loranger said. “He has to use the [chief information officer's] infrastructure, so he has to know the business case and the return on investment going in.”
William Jackson is a senior writer of GCN and the author of the CyberEye blog.