Persistent Encryption Strengthens Information Security at the VA

Rights management technology controls ability to view, print, copy and e-mail documents.

by / April 8, 2008

Protocols for securing private information changed for the U.S. Department of Veterans Affairs (VA) IT department after a laptop housing data records of more than 26 million veterans was stolen in May 2006. This experience made it painfully obvious to the department that it lacked adequate IT security, said Charles De Sanno, executive director of VA Enterprise Infrastructure and Technology Engineering.

"We needed to rapidly move ahead with strict measures regarding policy and technology to ensure a harder environment, securitywise, to protect veterans' data," De Sanno said.

Microsoft's Rights Management Services (RMS) solution provided that critical security enhancement. RMS protects the VA's data from information theft and leakage by providing persistent encryption protection technology. RMS also gives the VA more control of its documents by managing who can view, edit, print and copy them. No one except the author of the content or someone given full-control rights can remove the persistent protection from e-mails and documents.

This augments a weakness of public key infrastructure (PKI) security, which ensures e-mails are encrypted only in transmission and not once the e-mail is opened. RMS is viewed as an enhancement to PKI because the public key technology is still used and required for digital signatures.


Moving Ahead to a Secure Solution
In December 2006, De Sanno brought the rights management issue to the VA's CIO and the administration's Information Protection Group with projected costs and a timeline for improvement. The VA already owned Microsoft's Windows Server 2003 RMS and had been testing the product for the past two years. This information protection technology works with RMS-enabled applications to safeguard digital information from unauthorized use.

The organization approved the purchase of the necessary infrastructure and ancillary products to make Microsoft's RMS 100-percent compliant with the VA's computers: It required, for example, an add-on for more than 7,500 BlackBerry users to read RMS-enabled e-mail on their mobile technology.

The infrastructure requirements included continuity of operations failover to ensure service in the event of a server crash, as well as 4.6 terabytes of storage area network (SAN) disk space for the databases, and hardware security modules to house the "keys to the kingdom." Microsoft SQL 2005 mirroring also will be used to keep the RMS databases synchronized with one another rather than a SAN-to-SAN replication.

De Sanno said the VA identified the required cost and issued an RFP for vendors. After the 2006 data breach, however, a prolonged time frame wasn't appropriate. Some production systems were running RMS after two years of testing, so De Sanno said the VA expanded this approach and deployed the RMS client beginning in January 2007 in a "quiet" mode, which ensured employees could use it once the infrastructure was up and running. Through its aggressive timeline, rollout to 250,000 desktops took only eight months.

"Ultimately we didn't want to wait for the infrastructure," De Sanno said. "Getting our hardware purchased took longer than the whole rollout."

The VA didn't have any specific challenges with the RMS deployment, said De Sanno. From a systems management point of view, he said it was straightforward. "With any IT product, it's imperative users are trained in the solution," De Sanno said. "We're providing education and awareness through factoid documents and a Web presence. Classes will begin later, but there is a significant awareness out there."


Transitioning After Deployment
With deployment of the RMS client to the VA's 250,000 desktops finished, De Sanno said the organization's next goals are bringing up additional hardware as well as software to read e-mail messages on BlackBerrys. With the new servers, this hardware infrastructure ensures rights authentication is issued. The key is checked for rights management systems through this hardware infrastructure. Once the key validates, it allows the message to be read or encrypted.

To ensure a robust infrastructure is in place, De Sanno said the VA selected primary and secondary locations in case of failure and updated its disaster strategy. Once the organization comes to depend on the RMS technology, it must be deployed in the VA's regional processing centers. The VA is consolidating 170 data centers down to four regional centers. Significantly reducing the number of data centers ensures the VA provides employees and veterans with a more secure environment and protects it from natural disasters.

With fewer data centers, De Sanno said the VA can invest in the infrastructure appropriately. The administration will serve applications better, having consultants concentrate on fewer mission-critical systems. This will let the organization rapidly roll out technology such as RMS.

"It allows us to integrate products very easily and seamlessly," De Sanno said. "With 170 disparate data centers and environments, we couldn't react as quickly as we need to."

Two of the regional processing centers are operational, and both are contracted out to the private sector. One on the West Coast is shared with a private-sector company that serves Fortune 100 companies. The East Coast processing center is shared with the New York Stock Exchange.


Justifying the Cost
The VA already owned Microsoft Windows RMS as part of its bundle with Microsoft Office and Microsoft Exchange Server. According to De Sanno, the question then became, "What does it cost not to deploy this product?" In these kinds of situations, the VA uses its previous investment but also determines what the private sector offers and ultimately makes a business decision.

"We'll always keep our ear to the ground to ensure the VA purchases and deploys best-of-breed technology that is most cost-effective to the taxpayers," De Sanno said. The $5 million price tag to implement and deploy the RMS solution is small, he said, in relation to the cost of stolen or leaked data. The cost of losing secure, sensitive data that veterans entrust to the VA comes with an expensive price tag, he said.

About 15 percent of VA employees currently use the RMS product, and the VA is in the process of turning on its servers by early 2008. At the highest levels, the organization already has experienced benefits. The technology ensures users send and transmit sensitive information based on business policies. De Sanno said the VA has set policy at the organization's enterprise level, which has proved to be a big benefit already.

"It's rewarding that we have recognized the value of Microsoft RMS and are applying it in rapid fashion to solve real-world problems in the VA," De Sanno said. "It's always nice to be first, but in IT it's not always a pleasant experience to be first. I can say with RMS, it has been so far."