Deadline For Agencies To Secure Remote Data Comes -- And Goes

The deadline for agencies to properly secure remote data according to a mandate from the Office of Management and Budget has come and gone, but recent events indicate there's plenty of work to be done before systems are actually locked down. For solution providers who see beyond the technology to also implement policy safeguards, the upcoming months could prove lucrative.

Aug. 7 marked the day that federal agencies were mandated to implement a security checklist to protect remote information. They were also recommended to encrypt all sensitive data on mobile devices, allow remote access only with two-factor authentication, use a time-out function for remote access and mobile devices that would require user reauthentication after 30 minutes inactivity, and log all computer-readable sensitive extracts from databases and verify each extract has been erased within 90 days.

The OMB has not released a report tracking how agencies are doing meeting this mandate, but perhaps telling is the fact that five days before the deadline, another security breach at the Veterans Administration occured -- this time, a desktop from Unisys that contained the personal data on approximately 18,000 veterans went missing.

So what's lacking?

"The technology needs to go beyond protection of remote access of systems to policy," says Andrew Krcik, vice president of marketing for Palo Alto, Calif.-based PGP.

Many agencies have locked down database servers and the like through the use of security products that essentially stand guard and authenticate those attempting access. What fewer agencies have implemented, however, are measures to protect information once it's already extracted.

At the first level, that means safeguarding access. More and more agencies are implementing biometrics for that reason, though the solutions don't always go adequately beyond user identification.

"[The solution] has to include measures to ensure users are only accessing information that's necessary, and the ability to react to [unusual activity]," says Chip Mesec, senior product marketing manager at Digital Persona. Digital Persona's fingerprint solutions provide agencies with the ability to replace passwords, tokens and smart cards, but also allow IT departments to create audit trails that are unique to individuals and shut down a user's access with a single action.

Even with secure access controls, agencies still should consider the security of data that resides on the remote devices. PGP's Whole Disk Encryption offering locks down the entire contents of a mobile device by encrypting all files, requiring boot-time authentication and providing centralized management using a Web browser administrative interface.

"Even if someone gets a hold of a machine, files can't be [retrieved] -- from what's saved on the [hard drive], to e-mails, attachments and instant messages," Krcik says.

For the channel, penetrating agencies with such offerings requires ensuring they understand where the full scope of vulnerabilities reside, and tackling every layer of exposure to round out the incomplete, piecemeal solutions currently in place, Krcik says. And at the risk of profiting from uncertainty, recent incidents could make for a far easier sell as agencies scramble to either avoid or counter the fallout of a breach. In the case of the VA, specifically, Reston, Va.-based research firm Input expects a big bump in contracting activity in the area of networking and operations as the department attempts to spend nearly $200 million in remaining end-of-year IT dollars.