When you take work home, make sure security goes with it
- By William Jackson
- May 22, 2006
One of the great things about mobile computing is that it's mobile. You can take data anywhere. The bad thing is that it's mobile'someone else can take your data anywhere, too. This includes data on laptops, key drives, personal digital assistants, rewritable CDs, and even hard disks, plus data over remote connections between your home PC and a server at work.
As I write this, the Veterans Affairs Department has just told the world that one of its employees lost personally identifiable data
, including Social Security numbers, for about 26 million veterans. It's not clear yet what form the data took or on what medium it was stored on when it wandered off. So far, it appears no one has used the information.
The fact is laptops, PDAs, etc. are used so routinely they become just another part of your wardrobe, and familiarity breeds contempt. The data you put on a mobile system may be just another night's work to you. But it could be worth millions to someone else, and no matter how routine the work you're doing, government workers should be prepared to treat it as if it were worth millions.
The cardinal rules of mobile security should always be as follows: If you don't absolutely, positively need to have sensitive data on a laptop, for instance, don't put it there. If you do need it, don't leave it there any longer than necessary. And if you absolutely, positively must take it home, to another office or to a hotel somewhere, secure it.
A diamond merchant would not bring a case of jewels home and leave it lying around. A government laptop shouldn't be treated any differently.
But let's be reasonable. You're not going to put a laptop in a titanium case with a time lock and handcuff it to your wrist. People are going to continue to put sensitive data on mobile devices and leave them sitting in unsecured offices, on trains and in the back of taxis.
A survey of 935 cabbies in nine countries by Pointsec Mobile Technologies Inc.
turned up 85 notebook computers, 227 personal digital assistants and 2,238 cell phones lost in cabs in the second half of 2004. An estimated 4,425 notebooks are thought to have been left in Chicago's fleet of 25,000 cabs alone.
The least that agencies and government employees can do is make sure any sensitive data they put on a mobile device is protected. One of the simplest ways to do this is to encrypt it. Encryption is commonly used in transmitting data, but rarely when it comes to data at rest.
That doesn't have to be the case. There are plenty of products out there that could be used to encrypt selected files or full disks, and the government has approved a number of them for federal use.
The National Institute of Standards and Technology
has approved more than 600 products under the Federal Information Processing Standard 140
for cryptographic modules. Although FIPS 140-1 was superseded in 2001 by FIPS 140-2, products validated under the original standard still may be used in government applications. A third-generation standard, FIPS 140-3, is in development.
Pointsec has a FIPS 140-1 validated hard drive encryption application to protect data stored on mobile digital devices. WinMagic Data Security
of Mississauga, Ontario, also has a FIPS validated whole-disk encryption product that uses 256-bit AES encryption
to offer state-of-the-art data protection. Among the new security features to be included in the new Windows Vista operating system is a full-disk encryption utility that will use 128-bit AES encryption. This will not be available before next year, but consider using it when you get your next laptop.
Laptops and PDAs aren't the only weak spots in mobile security. Increasingly small and powerful devices such as USB key drives are making data-to-go more common. When you consider the number of keyrings that are lost every day, the gigabytes of data at risk is staggering. Fortunately, companies such as Centennial Software Ltd.
are offering products
to automatically encrypt files as they are transferred to a USB drive, using 256-bit AES encryption.
No security is perfect, but the more attention you pay to the data you're carrying around with you, the less likely it is that you will be the subject of a news conference explaining how the personal data on millions of persons' names has been exposed.William Jackson is a senior writer for GCN. His Cybereye column appears regularly in Government Computer News and at GCN.com.
William Jackson is a Maryland-based freelance writer.