A key to mobile security
Encrypted flash drives protect Washington's child support data <@VM>Sidebar'Transition game
- By William Jackson
- Apr 24, 2008
Washington state's Division of Child Support (DCS) knows well the challenge of handling sensitive information that, out of necessity, goes mobile. DCS collects and enforces child support payments statewide ' 3 million payments totaling $700 million a year. Its agents use bank account and employer information, Social Security numbers, tax returns, and other personal data in managing the 350,000 cases open at any one time.
Sometimes that data must travel with agents in the field, which could leave it vulnerable. The division's answer was encrypted flash drives.
'We identified some problems with the way the data was moving,' said Brian Main, data management and production operations manager at DCS. USB thumb drives were a convenient way for employees to carry and use large amounts of data in the field or when moving between offices, but 'we didn't know what they had on them or where they were.'
There are about 1,200 DCS workers in 11 offices statewide and about 300 more in 37 prosecutors' offices. Employees can send encrypted files via the network, but not all offices are on the same network, and sometimes there are problems getting large files through firewalls. So a sneakernet often is the most convenient way to move the electronic files. 'A lot of the day-to-day stuff is carried on thumb drives,' Main said.
Concerns about the small drives began cropping up about 18 months ago, he said. The risk had existed before, with information on floppy drives and writable CDs, but the situation was becoming more serious with the small, powerful flash drives, Main said.
The answer was to make a virtue of necessity.
Officials decided that if employees were going to use USB drives, the division should protect and manage them. At first, the division couldn't find all the features it wanted, including the ability to:
- Encrypt automatically. 'We wanted to take out the human component' by eliminating any decisions by users on whether or what to encrypt, Main said.
- Track the devices.
- Track data on the devices. 'In case of a loss, you needed to be able to notify clients,' so you have to know what data is on each device.
- Back up data automatically so it can be restored if necessary.
- Centrally manage and lock down the devices.
'It wasn't until the last nine months that we found what we wanted,' Main said. That turned out to be the Cruzer Enterprise USB flash drive and Central Management and Control (CMC) server software from SanDisk.
DCS bought 200 of the drives with management software in January and is in the process of issuing them to employees.
The Cruzer Enterprise model has mandatory encryption of all data, which users access with a strong password. On the first power-up, a random number generator creates a 256-bit key for the Advanced Encryption Standard encryption.
The user sets the policy for the strength of the password required to access the key. The drive comes with 1, 2, 4 or 8G of memory ' DCS is using the 2G model ' and has a read speed of 24 megabits/sec and write speed of 20 megabits/sec. Prices range from $80 to $300.
Each device authenticates to the servers with a digital certificate, and the manager can set policies for tracking and backing up data on each drive when it is connected to the network.
Policies also can be set to lock the device after a set number of failed password attempts and issue a kill order to wipe drives that have been reported lost or stolen. Keys can be set up to work with any computer or work only on a managed network with access to the CMC server.
The Cruzer is undergoing testing for Federal Information Processing Standard 140-2 Level 2 certification for use by federal agencies.Sometimes the hardest part of introducing a new technology is phasing out the old.
Washington state's Division of Child Support is standardizing on encrypted Cruzer Enterprise USB drives for moving and transporting sensitive personal information in the field.
'We're in the early stages of rolling them out,' said Brian Main, head of data management and production operations manager at the division. 'So far, it's been relatively painless.'
But deploying centrally managed, secure storage devices also means accounting for old, unmanaged devices and the data they contain. 'The biggest issue we're facing so far is getting the old stuff back in from the field,' Main said.
The division also is deploying digital certificates to authenticate the devices.
To do this, it had to get a waiver from the state's central information technology department, which has a monopoly on digital certificates for the state.
'When they get caught up, we will begin using central certificates' from the IT department, Main said. ' William Jackson
William Jackson is freelance writer and the author of the CyberEye blog.