Data security: Why the usual solutions fall short
The public seems amazed by the type and amount of sensitive information that is available to people who should not have access to it, but security professionals are not, writes security consultant Shon Harris.
Shon Harris is a security consultant, founder of Logical Security and a former engineer at the Air Force’s information warfare unit.
With the current buzz around the WikiLeaks disclosures, the U.S. public seems amazed by the type and amount of sensitive information that is available to people who should not have access to it. Security professionals are not.
Traditional data security technologies are running to catch up with the explosion in data dissemination methods. Although data might be secured within a database, people need to use it to carry out operational tasks, which usually means putting the data into Word, Excel, presentation software, e-mail or some other format.
The data can be saved to a thumb drive, DVD, personal laptop or less secure workstation. Or it can be sent to a user’s home computer, disseminated via e-mail to a distribution list or printed. The original database security then becomes useless as that data is passed around in insecure formats via controlled and uncontrolled networks.
Most agencies have policies and standards that outline how sensitive data should be protected, but they are usually ignored and hardly ever enforced. But agencies' systems have passed security audits and met their compliance requirements, you might say, so aren’t they secure? Not even close.
In many cases, an agency can pass a Federal Information Security Management Act audit if it has people who can write great security policies and documentation. But that has no real bearing on what type of security controls are in place. Every agency has a firewall, but the real question is whether it is configured properly for that specific environment and the threats that agency faces. And that takes testing, not policy checklists.
Instead of releasing funds to agencies that simply pass audits and compliance tests, the Office of Management and Budget should evaluate statistics on incidents and successful compromises. If an agency experiences an unacceptable amount of system or personnel compromises, it should fail its security audit, regardless of the other factors. OMB funding should be based on actual security, not just policy compliance.
Another challenge that government agencies face is identifying and retaining employees who have the necessary level of security knowledge and skills. The lack of trained security professionals is a huge gap in our national defense, which is why it is a line item in the Cybersecurity Act of 2010.
To work as a security professional in government, you need a clearance, which is expensive and time-consuming. And people can make much more money in the private sector. Rather than just issuing training mandates to agencies, the government should provide the necessary funding to hire and retain skilled employees.
Security professionals are not surprised by the WikiLeaks issues that the U.S. government is facing because the same type of information is leaked constantly, just not in the same headline-making way. Criminals and countries steal military and government secrets all the time. But they don’t want their activities known, so they work hard to stay under the radar.
WikiLeaks shines a bright light on the technological, policy, awareness, education and enforcement issues that must be properly dealt with if the nation is serious about protecting its classified information.
NEXT STORY: 3 federal IT security predictions for 2011