With the continued growth of mobile computing and of data security laws, every day companies are investing more an more time and dollars into security systems.  Unfortunately, a common failing of these laptop security measures is the fact that they are heavily reliant on the diligent action of laptop-using employees to remain effective.  Thus, even after this investment of time and money – a security breach occurs because of the weakest link – the person behind the keyboard.

Employees Can’t Be Relied on to Enforce Security

Most organizations promote polices for the safe use of mobile computing devices and for accessing sensitive files.  However, just thinking about yourself:

• Have you ever shared a password with another employee
• Have you ever heard about another employee sharing passwords and not reported that?
• Have you ever turned off an anti-virus, anti-spyware or encryption program?
• Have you ever copied confidential data from it’s home (mainframe, shared network drive) to your PC for convenience?

Regardless of policies, the reality is that busy salespeople, unknowing marketers and harried administrative staff will ignore or avoid policy and load sensitive information onto portable computers. With more than 600,000 laptops lost or stolen each year from U.S. airports alone, companies relying on organizational policy to protect sensitive data will continue to fuel data breach media headlines.

Value of Remote Administration for Encryption

Traditionally, organizations have used corporate firewalls and other intrusion detection systems to protect corporate networks from potentially compromised endpoints.  However, in today’s laptop-dominated environment, endpoint security strategies place the responsibility for security on the device itself and not on the employees.  This next generation of security strategy is already common in the form of anti-spam filters, desktop level firewalls and anti-virus software programs.

For best protection using encryption , there should be no local administration available for the end-user.  This is one of the benefits of Alertsec Xpress, as it  is designed to support an enforced security implementation where the user will not be able to disable the security without proper authority. Recognizing that organizations cannot rely on end-users to consistently follow IT policy or diligently apply security software, Alertsec Xpress eliminates the requirement for end-user involvement to be effective.

The U.S. Government Accountability Office (GAO) has released another information security report which indicates that while federal agencies continue to make progress with information security policies and practices, there is still the need to “mitigate persistent weaknesses.”  The report says that for the fiscal year 2008, almost all 24 major federal agencies had weaknesses in information security controls.

The GAO’s auditors said a recent audit that examined how well agencies were protecting information and complying with the Federal Information Security Management Act (FISMA) found significant problems. “These persistent weaknesses expose sensitive data to significant risk, as illustrated by recent incidents at various agencies,” GAO said. “Further, our work and reviews by inspectors general note significant information security control deficiencies that place a broad array of federal operations and assets at risk.”

While these security issues ranged the spectrum, many focused on the issue of securing confidential data.  An analysis of the reports reveals that 48 percent of information security control weaknesses pertained to access controls. For example, agencies did not consistently establish sufficient boundary protection mechanisms; identify and authenticate users to prevent unauthorized access; enforce the principle of least privilege to ensure that authorized access was necessary and appropriate; apply encryption to protect sensitive data on networks and portable devices.

• The Securities and Exchange Commission had 23 new weaknesses in controls intended to restrict access to data and systems.  “For example, it had not always (1) consistently enforced strong controls for identifying and authenticating users, (2) sufficiently restricted user access to systems, (3) encrypted network services, (4) audited and monitored security-relevant events for its databases, and (5) physically protected its computer resources.
• While the Los Alamos National Laboratory—a weapons laboratory—implemented measures to enhance the information security of its unclassified network, vulnerabilities continued to exist in several critical areas, including encrypting sensitive information.

In response to this report, Vivek Kundra, President Obama’s newly appointed federal chief information officer, said that OMB was working to clarify FISMA reporting guidance and improve performance metrics. He also said OMB was planning to move FISMA reporting to an Internet-enabled database for fiscal 2009 reporting.  The hope here is that the transparent and public reporting of issues will, as has occurred in the private sector, encourage an increased focus on security.

The report highlighted several opportunities including the SmartBUY program. This program, led by the General Services Administration, is to support enterprise-level software management through the aggregate buying of commercial software governmentwide. The SmartBUY initiative was expanded to include commercial off-the-shelf encryption software and to permit all federal agencies to participate in the program.

The tools are all there – maybe someday all the confidential data will actually be encrypted.