Last week, several news agencies reported that a major Federal agency suffered a breach of personally identifiable information of approximately 45000 employees. If you’ve worked with this agency, you’d know that they invest a very large sum in information security, and have arguably one of the best funded perimeter defense systems of any civilian agency.
The problem this agency faced was that there was no technology in place that could look at sensitive data from a business process level. There was no technology that could understand what sensitive data was, where it resided, and how it was being used. There was no technology in place that could have identified and stopped the inappropriate use of sensitive data. And there should have been.
How the Plan Could Be at Risk
The stimulus plan focuses on innovative ways to improve government, including
* electronic patient records,
* new technologies to foster energy independence,
* and improved transparency of spending.
All three of these initiatives have something in common; The release of sensitive information could derail the adoption and/or continuation of these initiatives.
One of the benefits of patient records is also one of the greatest fears of patient records; Patient records are much easier to access. What happens if the technological advancements that our taxpayers fund become a competitive advantage to another country due to a data leak? Will be decide to become less transparent fiscally if sensitive data gets mixed in with data in the public domain?
The security issues mentioned above are largely transparent to the traditional arsenal of network based security products. In order to protect against these types of risks, Data Loss Prevention Technologies need to be implemented.
It’s time for Data Loss Prevention
It’s been over two and a half years since the Office of Management and Budget issued memorandum MO6-16, which “requested” that all government agencies deploy data encryption on hard drives. At that time, Data Loss Prevention was in its infancy, and probably not pragmatic for large government agencies. DLP is here now. It’s real, it’s solid, and it works.
MO6-16 pretty much solved the issue of data loss from the lost laptop. If a drive is lost, it’s encrypted, end of story. However, once those laptops are turned on, it’s a different story. Disk encryption does nothing to protect data in motion. Data encryption can’t protect against the user who sends information to the wrong party, or who posts private information on a public website. Neither can IDS, Firewalls, AV. These types of problems can be identified and remediated using DLP.
Federal IT organizations have limited resources, and the decision to use Disk Encryption was escalated in the budget process due to MO6-16. A similar sense of urgency needs to be applied to Data Loss Prevention, and this could be accomplished by amending this directive.
Talk to me.
I’d welcome a chance to hear from you. I’d be happy to walk through the technology, and provide you with overview of the state of DLP technology today.