William Jackson | Cybereye: Protecting data: Enforcement is the glue
As of one week ago, Aug. 7, agencies are supposed to be in compliance with executive branch guidelines for protecting sensitive information. The Office of Management and Budget issued a memo June 23 in response to high-profile leaks of personal data, most notably the Veterans Affairs Department's loss of records on 26 million people.
'Most departments and agencies have these measures already in place,' said Clay Johnson III, deputy director for management, in the memo.
And therein lies the problem. It is possible for an agency to have the prescribed measures in place and still lose control of sensitive data because the measures apply only to authorized access. They say nothing about deciding who should have access to data and under what circumstances. Effective access control policies are the first step in securing data, but the memo says little or nothing about those policies or how to enforce them.
It is, of course, essential to secure sensitive data that has been legitimately cleared for remote use. But no one should congratulate themselves that the job is done once OMB's guidelines have been implemented.
The OMB memo reminds agencies that they should be using a checklist from the National Institute of Standards and Technology for protecting data.
In addition, it recommends that agencies encrypt data that leaves an office, require two-factor authentication for remote access and ensure remote copies of data are erased when no longer needed.
That's all well and good. But the first thing an agency should do is ask itself, 'Why should any sensitive data be allowed out into the world?' If there is no reason for it, requirements for remote access and encryption are moot, because the data should never show up on a laptop or someone's home PC. The second question is, 'If we want data to stay put, how do we make sure it is not improperly downloaded?'
The NIST guidance cited by OMB pays scant attention to these two vital questions. The policy evaluations outlined in NIST special publications focus on securing data already cleared for remote access or outside use. It says nothing about protecting data that should not be removed, which should be the bulk of the sensitive data. This means you could be following OMB's and NIST's guidelines to the letter and still have people downloading sensitive data and walking out the front door with it.
Securing data against unauthorized access can be difficult. It requires not only proper policy backed up by technology to enforce it, but diligent monitoring of logs and alerts. It is not enough to use event logs to find out what happened to your horse once it's out of the barn. You should know when the horse is leaving and have someone available to stop it before it gets away.
At that point, physical and IT security merge, and a whole new host of complications arise, many of them political and organizational. And that's something we'll take up in a future column.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.