The automatic reaction to the Department of Veteran's Affairs' (VA) laptop theft is to ban telecommuting altogether. Why let employees use laptops on the road or work from home and risk their machines being compromised and sensitive company data getting lost? Why risk bad publicity, or damaging and costly litigation? While seemingly the ideal solution, for most companies and their road warriors, it simply isn't an option. There are ways that telecommuting and working remotely, even with highly confidential customer information, can be done reasonably safely and securely. Let's examine what went wrong in the VA situation, and review some dos and don'ts for telecommuting.
The VA data theft
The VA data theft was largely due to lack of common sense. Unfortunately, when it comes to securing data, common sense often loses out in many companies. Additionally, the employee whose equipment was stolen violated every rule of information security hygiene, but that's beside the point. The data was still lost, policies were either non-existent or ignored, and there probably weren't any best practices.
First, the VA employee took home a lot of sensitive data -- about 26.5 million users' worth -- on a personal laptop and an external hard drive, which means the data was in a format that could be easily taken right out the door. And, there probably wasn't a procedure for signing out electronic data, as there might be, say, for a file from a file room. Whoever was responsible for data at the VA, didn't properly delegate a custodian to manage and account for it. And if there was such a procedure, the employee ignored it.
Next, the data wasn't encrypted. It was in clear text, easily read by anyone who possessed -- or stole -- it.
The following are the three big rules for handling customer data that the VA violated:
1. Have policies and procedures for accounting for any electronic media holding data. Data owners should delegate handling of their data to a custodian in charge of controlling access, keeping logs and records of all employees who use the data with time stamps of when they're accessing it. The custodian needs to ensure that all data taken outside a facility is checked out, signed out and accounted for. Policies for non-compliance should be clear and strict with disciplinary action, including termination, in serious cases.
2. Encrypt any sensitive data, like customer information, that is taken off the premises on any type of storage device or media.
3. Never store sensitive data on laptops. If there's an unavoidable business reason for transporting sensitive data on a laptop, it should be hardened and secured, and have an encryption tool like SafeBoot.
It might seem that the best approach for telecommuters with sensitive data is to protect their laptops or remote desktops, but the best practice is in fact the opposite. Keep the data off the laptop, in the data center, hermetically sealed and safely behind your corporate firewalls. Allow remote access, but only by VPN, and always keep the data from being stored on the client. Here are the steps to do just that:
- Keep all customer and sensitive data on hardened database servers inside your firewall. Leave nothing in DMZs or other areas exposed directly to the Internet. Prohibit the downloading of data to portable devices or the sending of it outside the company as an email attachment. In addition to written policies, technical controls that block USB ports, for example, can be set up. Besides physically carrying data out the door, it can also be sent through firewall "doors" attached to email, or posted on malicious Web sites.
- Break customer data into chunks that an employee might need for a specific assignment for a set time period, like a day or a week. For example, instead of millions of records, maybe an employee only needs to work with five or ten thousand records at a time, maybe even a lot less than that. Move those chunks of data to dedicated servers with limited access set aside especially for temporarily housing data only needed for assignments. Log and timestamp all access to this data.
- Create temporary special groups for accessing that data and only add employees on an as-needed basis. When they're through with the assignment, or move to a different area, remove them from the group, and revoke their user ID and passwords, or other access. Strictly control who is in these access groups. Only current employees with specific business needs should have membership. Regularly audit and review these groups.
- Only allow VPN access to the servers hosting the data. VPNs by definition encrypt any traffic from the remote client to the corporate network. If not by VPN, transmission of sensitive data should always be encrypted and, if possible, by point-to-point transmissions with dedicated lines.
- Use network access control (NAC) systems to check clients and laptops to make sure they are hardened, secure and comply with your information security policies. NACs can check to make sure clients are patched, up-to-date and have protection like antivirus software installed.
- Make sure that all data is removed from, and not stored on, any remote client once the employee finishes working with it.
These simple steps are mostly common sense. By using your existing network resources, you can keep your business humming and your telecommuters working while safeguarding your data.
About the author
Joel Dubin, CISSP, is an independent computer security consultant in Chicago. He is a Microsoft MVP in security, specializing in Web and application security, and is the author of The Little Black Book of Computer Security available from Amazon.