Protocols for securing private information changed for the U.S. Department of Veterans Affairs (VA) IT department after a laptop housing data records of more than 26 million veterans was stolen in May 2006. This experience made it painfully obvious to the department that it lacked adequate IT security, said Charles De Sanno, executive director of VA Enterprise Infrastructure and Technology Engineering.

"We needed to rapidly move ahead with strict measures regarding policy and technology to ensure a harder environment, securitywise, to protect veterans' data," De Sanno said.

Microsoft's Rights Management Services (RMS) solution provided that critical security enhancement. RMS protects the VA's data from information theft and leakage by providing persistent encryption protection technology. RMS also gives the VA more control of its documents by managing who can view, edit, print and copy them. No one except the author of the content or someone given full-control rights can remove the persistent protection from e-mails and documents.

This augments a weakness of public key infrastructure (PKI) security, which ensures e-mails are encrypted only in transmission and not once the e-mail is opened. RMS is viewed as an enhancement to PKI because the public key technology is still used and required for digital signatures.


Moving Ahead to a Secure Solution

In December 2006, De Sanno brought the rights management issue to the VA's CIO and the administration's Information Protection Group with projected costs and a timeline for improvement. The VA already owned Microsoft's Windows Server 2003 RMS and had been testing the product for the past two years. This information protection technology works with RMS-enabled applications to safeguard digital information from unauthorized use.

The organization approved the purchase of the necessary infrastructure and ancillary products to make Microsoft's RMS 100-percent compliant with the VA's computers: It required, for example, an add-on for more than 7,500 BlackBerry users to read RMS-enabled e-mail on their mobile technology.

The infrastructure requirements included continuity of operations failover to ensure service in the event of a server crash, as well as 4.6 terabytes of storage area network (SAN) disk space for the databases, and hardware security modules to house the "keys to the kingdom." Microsoft SQL 2005 mirroring also will be used to keep the RMS databases synchronized with one another rather than a SAN-to-SAN replication.

De Sanno said the VA identified the required cost and issued an RFP for vendors. After the 2006 data breach, however, a prolonged time frame wasn't appropriate. Some production systems were running RMS after two years of testing, so De Sanno said the VA expanded this approach and deployed the RMS client beginning in January 2007 in a "quiet" mode, which ensured employees could use it once the infrastructure was up and running. Through its aggressive timeline, rollout to 250,000 desktops took only eight months.

"Ultimately we didn't want to wait for the infrastructure," De Sanno said. "Getting our hardware purchased took longer than the whole rollout."

The VA didn't have any specific challenges with the RMS deployment, said De Sanno. From a systems management point of view, he said it was straightforward. "With any IT product, it's imperative users are trained in the solution," De Sanno said. "We're providing education and awareness through factoid documents and a Web presence. Classes will begin later, but there is a significant awareness out there."


Transitioning After Deployment

With deployment of the RMS client to the VA's 250,000 desktops finished, De Sanno said the organization's next goals are bringing up additional hardware as well as software to read e-mail messages on BlackBerrys. With the new servers, this hardware infrastructure ensures rights authentication is issued. The key is checked for rights management systems through this hardware infrastructure. Once the key validates, it allows the message to be read or encrypted.