Government is entrusted with the responsibility to shelter and safeguard a myriad of sensitive private and public information. Yet lately, it’s not difficult to find recurring examples of sensitive information that goes missing or lands “in a taxi cab” only to compromise the privacy of individuals, government operations and even national security.
Data loss by governments is not a new phenomenon. Information records have found their way into the wrong hands by espionage, theft, accident, incompetence or ignorance since the dawn of the written word. However, the sheer volume of data loss that can now happen, combined with the readily available computing power, necessitates a re-think of how we protect our information.
In 1985, walking out of a government building with 500,000 pages of files would have been conspicuous. The printed data would have equated to 2000 pounds and the storage array at that time would have been the size of a Volkswagen. The commissionaire would probably have asked questions. And even if 500,000 pages did walk out of the building, it would have taken an army of analysts years to make sense of it.
Today, I suspect that same volume of data would fit comfortably on a portable USB hard drive or memory stick and could be carried out the door inside a coat pocket or even a wallet. Using handheld computing devices, a single person could collate, search and correlate the data into meaningful information in a matter of minutes, resulting in anything from identity theft to terrorist attacks.
The USB issue is certainly the hot-button topic of late. Some experts I interviewed, who did not seem terribly adventurous or enthusiastic, actually suggested using a glue gun. Sealing the unused USB ports would be a simple solution. There’s a “Red Green Show” award waiting for them at Possum Lodge right now.
All that to say, the explosive growth of portable media devices with increasing capacity and a decreasing size continues to lower the barrier to porting large volumes of data from one place to another. And that was always the intention of the technology. The unintended consequence is that our data is now exposed to new threats, both deliberate and inadvertent.
So, what do we do? The answer is easy – go back to first principles. It all boils down to three things: people, data, and the interactions between the two. And of these three things, trusting our people is where it all starts.
First, we need to have measures in place that assure trust in our people from both a loyalty/criminal perspective and a functional reliability perspective. Security clearances really only address the loyalty/criminal part. Where we fail is usually in the functional reliability part. That’s where we need to have processes and tools to help shore-up the functional reliability of our people.
It’s like this. I trust my kids. I have full confidence that they are loyal to the household and not likely to be coerced into become criminals. That said, I know they are not reliable at locking the back door when they leave the house. So, I implemented processes and tools (i.e., technology) to ensure that the door remains locked when they leave (and no, I didn’t glue the door shut).
When we look at the data on its own, security is simple: lock it up in a vault and don’t let anyone use it –ever! That’s the perfect example of what IT folks call “data at rest.” Not very functional but at least it’s secure. To make it functional, we need to allow access to the data and as a result, put the data in motion and use it. When data is in motion or being used by someone, it’s at risk.
We need the technology to enable our business functions while at the same time help our people protect and secure our information assets without getting in their way. And do it in a cost-effective manner, commensurate with the risks and threats. Simply put, we need to protect data when it is at rest, enable the safe transport of data (when it’s in motion), enable people to securely manipulate the data (data in use), and make sure nobody makes off with a copy if they don’t have permission (i.e., know all the people who have the data at any one time, and why).
Not surprisingly there are some key technology strategies in the IT industry to address these challenges. Of particular interest is the return to server-centric solutions using Thin-Client desktops networked to on-demand virtual PC’s, with access controlled by two-factor authentication systems. Say good-bye to the USB threat.
Until then, stay away from the glue gun.