VA gives thumbs down to thumb drives

After a series of incidents over the past several months involving missing data, federal agencies are writing policies that restrict the use of mobile storage devices such as thumb drives. At the forefront of that trend is the Department of Veterans Affairs, which lost data on 26.5 million current and retired veterans last year when one of the department’s computers was stolen from an employee’s home. A number of agencies say they are abandoning a culture in which almost everyone could take information out of the office on a mobile device and are creating a new culture in which people must justify taking any data off the network, where it is relatively secure.The VA plans to institute a policy, beginning in April, that will require employees to use only approved thumb drives that hold no more than 2G of data and meet the National Institute of Standards and Technology’s Federal Information Processing Standard 140-2 for encrypting data.“This effort is to drive down the use of thumb drives,” said Bob Howard, the VA’s chief information officer. “This will help us eliminate future problems by shutting down an easy way to take data out of the office.” Policies such as the one the VA is creating line up with the Office of Management and Budget’s policy, which requires agencies to secure their data. OMB’s policy memo on data security requires agencies to encrypt all data on mobile devices such as thumb drives.“We are working to come up with a solution of our own,” said Dennis Heretick, the Justice Department’s chief information security officer. “We have a policy that says data on mobile devices must be encrypted, but now we have to implement it.”Heretick said the department is implementing the policy by letting bureaus purchase only mobile devices with built-in encryption.Nate Cote, vice president of product management for Kanguru Solutions, said several federal agencies have bought or are evaluating the company’s FIPS 140-2 encrypted thumb drives. “This year agencies are more likely to allocate dollars to buy this type of secure device,” Cote said. OMB issued its memo after many agencies had spent their 2006 funds, he added.At the VA, only the CIO’s office will be allowed to buy and distribute thumb drives, Howard said.  “We don’t need 200,000 employees with them,” he said. “They must demonstrate a need for the devices before we will issue them.”Howard said the VA is taking other steps to reduce the risk of data loss. For example, it is creating a standard configuration for the smart phones and personal digital assistants that its employees use. It plans to eliminate all unencrypted data traffic on the VA’s network and reduce the number of virtual private networks that connect to VA networks. Cote said agencies also can install software that uses device identification numbers to prevent employees from putting thumb drives on the network. Cote said Kanguru’s thumb drives have 256-bit Advanced Encryption Standard encryption and strong user name and password protection. The thumb drives wipe themselves clean after seven incorrect password attempts, he said.Alan Paller, director of the SANS Institute, said having technology that enforces policy is a necessary ingredient of any information security program.“If they don’t have the technology, then they might as well not have the policy,” Paller said. “You have to block or monitor what employees put on these devices.”And information security trumps the need for convenience, Paller said.“Agencies have to make it a high price for people to use them, such as sending a record to the security officer of what they downloaded.”