Can encryption and standardization of practices be a solution for safeguarding mobile assets?
Mobile devices, particularly laptops, have made life easier for the millions of Americans who telecommute or travel frequently. The technology delivers easy access to information and services from almost anywhere, but does that access come with a steep price tag?
A laptop is stolen every 53 seconds, and 97 percent of them are never recovered -- a shocking statistic from the most recent FBI study in 2003 to examine laptop theft.
Recent events underscore what's at stake when mobile devices containing vital information are lost or stolen. These incidents can cost organizations millions of dollars to purchase credit monitoring services for affected customers. They also generate a mountain of bad publicity, which can raise doubts about an organization's credibility.
With the rash of missing laptops in the government arena -- including the Department of Veterans Affairs, the IRS, the U.S. Department of Transportation and Minnesota's State Auditor --agencies are strengthening policies and procedures to protect mobile devices.
Federal legislation -- including the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act -- has already been implemented in the health-care and financial industries to protect constituents' personal information and regulate how it's accessed and disclosed.
More recently California followed suit by passing SB 1386, which mandates that public and private organizations notify customers if their personal information has been illegally accessed.
Kevin Dickey, chief information security officer (CISO) of Contra Costa County, Calif., described some of the laws as knee-jerk decisions, including California's SB 1386, which covers private industry and state agencies, but exempts local governments. Localities were omitted from the California law because the state didn't want to be financially responsible for funding local governments to comply with the regulations, Dickey said.
The problem government agencies face with ensuring security measures doesn't lie solely with lengthy legislative processes and funding issues, but is further heightened by rapid technological evolution.
"Technology has generated faster than the security has kept up with it," Dickey said, adding that security is always chasing technology. In addition, he said technology manufacturers usually think about marketability and user-friendliness as opposed to security.
Because accessibility is heavily promoted in our society, it has become second nature for many individuals to use mobile devices -- and they don't want barriers. "Most people look at security controls, authentication and access controls to be an inconvenience," Dickey said.
Another security issue surrounding technology is that government workers tend to have a lackadaisical mindset regarding government assets. "You wouldn't leave your keys to your car in your car," Dickey said, "but a lot of people just leave their computers turned on and walk away from their desks."
Changing this mindset and other issues calls for establishing policies and procedures on acceptable use of government assets.
Contra Costa County established such policies and procedures, according to Dickey. In addition, the county standardized on anti-malware software, which protects against worms and Trojans that may contain malicious codes.
Although his county is taking these steps, Dickey said, there aren't consistent security standards across government. "For instance, one county might be looking at it completely with a different set of eyes," he said. "But from a best practices standpoint, they should all be looking at it through at least the same kind of vision."
The problem isn't only at the local government level. States face the same dilemma when securing mobile assets.
"There's certainly stuff being done, but right now every agency is basically taking care of stuff at its own discretion," said Chris Buse, CISO of Minnesota. "We can't really give you an answer that says this is happening consistently across all state government."
However, shouldn't government entities more aggressively ensure the security of their data?
After sustaining laptop and data thefts in several of its agencies, Minnesota created its first CISO position. Buse, who started mid-June, is charged with tackling the state's security issues, and advocates for state agencies looking to gain security funding from the Legislature.
He already has issued a security policy that addresses acceptable use of mobile assets, such as laptops, MP3 players and PDAs.
"Our strategy is really straightforward, at least the minimum baseline that we're coming out with," he said. "I think the first cut we're taking on this is that data classified as not-public data should really remain on state agency networks."
However, in today's world -- where instant access is demanded by mobile workers who spend large chunks of their days in the field -- Buse recognizes that potentially sensitive data will be stored on mobile devices. And one of his solutions lies with encryption.
"If you absolutely have to have not-public data on these devices, then that data has to be encrypted," he said. "That's the key thing we're going to mandate in our environment, and that the devices themselves will be secured with a strong password."
Many government agencies already use encryption to secure their mobile assets, and hope these methods become widely standardized. Buse sees this as a goal for Minnesota and is concurrently working on efforts such as full laptop encryption.
Encryption is a step in the right direction, but it's not foolproof, said John Livingston, CEO of Absolute Software, a Canadian company that specializes in the recovery of mobile assets.
"We want to encourage companies and government organizations to be proactive -- to install the two key elements for mobile security," he said. "One is encryption ... but to complement that, I believe you want to activate an embedded tracking module so you can keep track of the unit."
Absolute Software's embedded technology -- Computrace Complete and Computrace Lojack -- allows subscribers to track mobile assets, pinpoint their locations and identify who is using them. "If you're a large governmental agency and you're trying to keep track of 10,000 laptops, it's not easy," said Livingston. "With our embedded tracking technology, we're able to get a read on that notebook automatically every single time it hits the Internet."
Because the technology is built into the basic input/output system of most laptops manufactured by Dell, Hewlett-Packard, Lenovo and Fujitsu, government agencies do not have to install it themselves -- they can purchase the software packages and have the technology activated at the factories.
If retrieving a missing laptop proves impossible, data deletion may be a solution, Livingston explained. "If the laptop calls in from -- God forbid -- a place like Iran or China or some foreign country that we don't have a recovery relationship with, we can assure customers and partners that we can remove any sensitive data that's on that hard drive."
Data deletion is done with the permission of the customer, using a Department of Defense code in which ones and zeros are written over the hard drive six times to completely obliterate any information on the device. For now, Absolute Software can only locate mobile assets that log on to the Internet, and the technology is limited to computers. However, the company plans to improve its software as time and technology progress to locate smart phones and pocket PCs, whether or not they have made an Internet connection.
Government entities in states such as Minnesota and California are defining baseline policies and procedures at an enterprise level. They say a centralized approach enables agencies to meet security goals and maximize their security spending.
Once baseline policies, procedures and encryption methods are standardized at all government levels, then perhaps governments can rest assured knowing they did everything possible to secure their data. Until then, Buse said incidents will continue to occur, but he can confidently say the data was encrypted using an advanced encryption standard, and there's no way to retrieve it.