Encryption Challenges for Government

By Stacey McDaniel

It has been two years since a Veterans Administration laptop was stolen in a widely publicized case that prompted new endpoint encryption guidelines. In spite of the guidelines and public pressure to improve security, a February 2008 report by the Government Accountability Office (GAO) found that some agencies are still not properly encrypting remote and mobile devices. With sensitive and confidential information constantly passing through agencies to employees, remote workers, contractors and others, neglecting endpoint security opens up an agency’s data to unauthorized -- and unnecessary -- exposure.

Vulnerable endpoints
When people consider endpoints, they usually think about desktops and laptops, but those are not the only endpoints that can pose a data security threat. All internal, remote, and mobile desktops and laptops, as well as PDAs and embedded devices such as flash drives, are vulnerable. All it takes is one device lacking the proper encryption to create a system-wide weakness.

Applying encryption to each endpoint is the best way to protect data from exposure. Theft or loss of a computer or other data-storage medium made up 46 percent of all data breaches during the period of January 1 to June 30, 2007, according to new research. The bottom line: An unencrypted device falling into the wrong hands can spell big trouble for a government organization.

Admittedly, managing encryption for each endpoint device inside an entire agency is a complex and daunting task. Here are some of the challenges an agency’s IT staff needs to factor in when considering an endpoint encryption solution:

• A solution must work in accordance with current security policies and regulations (such as FISMA) directed at the agency.

• An agency’s IT environment is often heterogenous, with a wide variety of endpoints running an array of systems, from Windows to UNIX to Linux and more.

• The amount of information generated by government agencies continues to increase, and it is stored on a growing number of endpoint devices that need to be managed.

• With headquarters in one location and remote offices and contractors in other places, many agencies operate in a decentralized environment, making it hard to enforce security measures and policies.

Despite the challenges, some agencies have successfully encrypted endpoints. The Veterans Administration was one of the first agencies to apply full-disk encryption to tens of thousands of laptops and other mobile devices. The Federal Trade Commission encrypted hundreds of laptops and has also fulfilled requirements for two-factor authentication for remote access, as well as a time-out function for mobile devices.

Conclusion
For government agencies, the protection of data has become more challenging then ever, especially as valuable data travels freely across various environments and is stored on an ever-growing array of endpoint devices, including PCs, laptops and removable storage devices. Well-publicized cases of stolen government laptops have prompted new endpoint encryption guidelines. Government CIOs should look for a scalable, agency-wide security solution that prevents unauthorized access to endpoints by using strong access control and powerful encryption. With proper endpoint security, agencies can mitigate the increasing risk of potential data loss.

Stacey McDaniel has been writing about high-tech issues for more than six years.