5 steps and 3 tools to stop sensitive information from walking out the door
Editor's note: This story was updated at 6 p.m. June 20, 2006, to identify Ben Haidri as vice president of marketing at Absolute Software, not Stealth Signal.
It’s easy to look at a major loss of sensitive information, such as what happened at the Department of Veterans Affairs recently, and tell yourself that it couldn’t happen to you. But it can. Ensuring that your employees don’t lose information that could compromise your mission, your agency or your customers is extremely difficult. After all, your employees are human, and like people everywhere, they occasionally do something stupid.
And that is the problem. Although plenty of technology exists to protect data when it’s out of the office, doing something about the people handling the data is tough.
Fortunately, some technology makes it harder to lose information by accident, theft or stupidity.
“You can go out and buy a large number of tools, but the bottom line is human error,” said Jack Gold, president and principal analyst at J. Gold Associates, a Massachusetts-based information technology consulting firm. “You have to have penalties in place for people who screw up, but you have to have tools in place as well. If you don’t educate your user base, they’re going to screw up, not because they’re bad guys, but because they don’t know any better.”
That’s why an effective and thorough security policy that accounts for potential human errors is so important. Assuming that the IT department has control over computers, some products can encrypt information on hard disks, control access to external storage, track computers if they’re lost or stolen, and erase hard disks if the computers fall into the wrong hands.
Step 1: Set a policy
The first step to protecting your agency’s data from loss is to create an appropriate security policy. To do so, you need to ask some critical questions.
If your agency handles sensitive information — ranging from nuclear weapons designs to personal information protected by privacy requirements — your policy must limit access to that information to only those people who need it. You should deny access to everyone else with no exceptions. For those who do have access, you must determine under what circumstances they can have access. For example, is it absolutely necessary that they access protected information while outside the office?
If someone must access protected information outside the controlled environs of the office, what can you do to limit the damage if the data is lost or stolen? For example, does an employee need Social Security numbers if that person is only doing a statistical analysis? A good security policy will require proof of need before anyone can take information from the office.
Step 2: Protect your data
Assume that despite your best efforts someone makes a valid case for gaining access to information while outside the office. You need to ensure that you can protect the information in case that person loses it or a thief steals it. And given human nature, the measures must be mandatory. It’s even better if you can make those measures transparent in addition to mandatory. The requirement part is easy to handle; it’s the transparent part that’s a tougher nut to crack.
Administrators can set up nearly all available encryption products that protect mobile data to prevent users from evading security measures. They can ensure that all information remains encrypted and stop users from sending information to the outside world unprotected.
But not every computer or device is compatible with every available software product. That means you’ll need to check your resources — including laptop PCs, personal digital assistants and smart phones — to find a solution that works with all of them.
Alternatively, you may choose not to allow certain types of devices on your network, or you may restrict access to protected information. So you might need to explain to a Cabinet-level appointee why nuclear weapons designs are inappropriate files to store on an Apple Computer iPod.
Be aware that you can encrypt information in more than one way. One option is whole-disk encryption, which encrypts everything on a computer’s hard disk, including operating system files that don’t need encrypting. That simplifies implementation but makes intrusion while the machine is running more likely. Because a user would have already entered a password, IT support workers might be able to see restricted data. Targeted encryption, on the other hand, encrypts everything a user saves but not system files. Targeted encryption solves the tech support problem because you don’t need to give the encryption password to those folks.
Mobile Armor’s DataArmor, for example, encrypts the entire disk for Windows and Red Hat Linux machines. DataArmor also supports Windows and Palm PDAs and smart phones. On the other hand, Credant Technologies’ Mobile Guardian Shield encrypts all data that security administrators define but does not need to encrypt system files. This product has a number of other features, too, including authentication and policy enforcement. Stealth Signal’s XTool also encrypt data you choose and provides a tracking service.
Note that you can set up those packages so that they will encrypt any data that goes to any device, such as an external hard disk, USB device or CD-ROM. Mobile Guardian can also disable access to such items when they’re attached to a mass storage device but allow it when the USB device is a keyboard or mouse, for example.
Step 3: Find your data
It’s not always enough to know that whoever walked off with your laptop PC when you went through the airport security line will have a tough time reading it. Sometimes you must find the device and recover it. Admittedly, the primary value of a lost or stolen laptop or other device is the data, but there are other good reasons to be able to locate the hardware. The primary reason is to determine who has it.
“Theft is 80 percent internal,” said Ben Haidri, vice president of marketing at Absolute Software. He said people occasionally lie and report that someone stole their laptop when no one did. Other workers take a colleague’s machine if it’s not physically secured. Knowing who took the machine means you can rid your agency of an untrustworthy employee.
One simple solution for those concerns is tracking software that will report its whereabouts when the computer connects to the Internet. That usually works well for internal theft but is not necessarily reliable when a computer is stolen for quick cash.
“A myth is that a thief will connect to the Internet right away,” said Victoria Correa, marketing director at Stealth Signal. “They don’t.” Correa said a typical thief will try to sell within 30 minutes.
Correa said the tracking software usually reports in when the buyer of the stolen equipment turns the computer on for the first time. That will lead to recovery of the computer and frequently to the identity of the buyer and thief. But in the case of insiders who just want a free computer, it’ll lead investigators right to them.
Step 4: Wipe your data
Again, although recovering a stolen computer is preferable, the data is usually the most important issue. Some products can be programmed to remove everything on the machine’s hard disk when lost or stolen. Absolute Software, Stealth Signal and Credant all provide a means of clearing data from machines. Absolute Software’s product even lets you remotely update computers that spend a lot of time outside the office.
Step 5: Set up remote access
One way to minimize the chance of losing critical and protected data is to not let it out of the building. If employees need to access something, you can require that they do so remotely. There are two ways of accomplishing this. The most effective is to require that employees use a Citrix Systems client or Microsoft Terminal Server’s remote client, which basically turns their laptop computers into thin clients. For this method to be fully effective, however, your IT staff members must ensure that users can’t save data retrieved this way to other storage devices, whether internal or external, without encryption.
The other way is to establish a virtual private network that uses an encrypted tunnel back to the enterprise. For this to be safe, you still need to protect against unauthorized storage.
In addition, you’ll need to ensure that the remote client meets your policy for antivirus, anti-spyware, and firewall software, and you must check for compliance each time. Symantec and Check Point Software Technologies make software that secures a VPN’s remote end.
We looked at three examples of software that will take care of most of your organization’s needs for protecting mobile computing assets. All three are different, and you might choose to use more than one solution to protect yourself completely.
Computrace: Keeping track of mobile computers
Absolute Software’s Computrace software primarily tracks the location of your mobile computer and reports its whereabouts if someone steals it. You can also use this product to help plan upgrades and report software installation or removal. Computrace can perform remote data deletion, track data changes, manage updates and perform other security functions. Installation was easy and fast, and the product’s administration was simple to use.
Although Computrace will provide you with real-time asset information, other information about devices such as attached printers and monitors requires that the Customer Center software compile a report. It sends you an e-mail message to let you know when the report is ready. You cannot simply go online and see the location of an asset as you can with XTool. If a machine goes missing, you must report it before Absolute Software will work with law enforcement authorities to retrieve it.
A three-year subscription to ComputraceComplete costs $128.95.
XTool: Finder of lost, stolen computers
Stealth Signal’s XTool is also primarily designed to let you locate a lost or stolen laptop. It’s easy to install and use. You can check the location of an asset at any time with the Web-based Control Center.
XTool determines the computer’s location via its IP address and uses that information to identify the registered location of the owner of that address. But that information doesn’t necessarily reveal the computer’s location.
For example, when we installed XTool on a machine in Federal Computer Week’s Northern Virginia lab, XTool correctly identified the IP address as belonging to Cox Communications because we used a cable modem from that company to reach the Internet. However, it listed the location as the Cox headquarters in Atlanta. When queried, Stealth Signal officials refined the location to the IP address pool allocated to Northern Virginia.
Company officials said that if the machine had been stolen, the company would have been able to subpoena the address from the cable company to recover the machine.
The XTool Data Protector can encrypt your hard disk and back up the data on the disk. XTool ranges in cost from $49 per device for one to nine devices for a year to $20.25 per year per device for 10,000 devices or more with a four-year commitment.
Mobile Guardian: Effective, easy-to-install encryption
Credant’s Mobile Guardian consists of four functional products. Although the software is primarily an encryption solution, it also controls access to USB and other external interfaces. You can set it so that only a person with specific privileges can create a CD-ROM, for example. Likewise, it can handle authentication, access control and policy enforcement. Part of this solution runs on your remote access device that checks for policy compliance, and it can perform intelligent device detection.
A server handles policy administration and integration with existing security services. In addition, Credant2Go encrypts data for use on portable devices, including PDAs, smart phones and cellular phones. This product can also encrypt e-mail messages for delivery to specific users, even if the recipient is not a Credant user.
We found Mobile Guardian to be one of the most effective, easiest-to-administer choices available, and in recent months, it’s become even more effective. But it doesn’t do everything. If you need to trace a lost computer, you’ll have to add another product to the mix.
Mobile Guardian costs from $46.37 per device for one to 249 devices to $8.44 per device for 50,000 devices or more.
Your choice of product will depend on your organization’s specific needs, but mandating its use will perform two functions. The first is to discourage insider theft. Once you tell your employees that you’re using such products, chances are they’ll think twice about stealing them because they know they’ll be caught.
The second function is to prevent anyone from using the information stored on the machines. Although it’s nice to get your computers back, that’s secondary to ensuring that no one can use the data on them.
Rash is a Washington, D.C.-based freelance journalist who has been covering technology since the late 1970s. He can be reached at firstname.lastname@example.org .