LA County Locks Down Removable Storage

Security breaches happen all of the time. They're so common now that maybe more business executives are beginning to ignore the headlines. That'd be a mistake. While the headlines may read the same, the way security breaches are occurring is beginning to change in a big way. It is no longer only about hackers cracking databases loaded with bank account data. Thanks to the ubiquitous availability of new types of storage today, writeable disc drives, MP3 players, and USB thumb drives can be lost and pose a serious security risk.

In fact, these incidents are growing increasingly common. Consider a recent breach in the U.K., where The British Department for Work and Pensions had to call for the emergency shutdown of a government computer system because a USB drive was found in the parking lot of a pub. The drive happened to contain the passwords of about 12 million residents for a government Website that helped residents manage everything from parking tickets to taxes.

As that incident shows, if proper precautions aren't put in place, data stored on the corporate network could end up transferred to a CD, sent through email unencrypted, or end up in a bar parking lot to be found by anyone.

Robert Pittman, Los Angeles Countys chief information security officer, is well aware of these risks, and has been working to make sure the county's data is secure -- whether at rest or in motion. L.A. County is in the midst of a three-phase attempt to lock down sensitive data throughout its 38 departments, which operate in more than 70 separate geographic locations.

L.A. County's security challenges match those of many corporations. Each department -- whether it be the Department of Social Services, prosecutor and public defender offices, Animal Welfare, or the Department of Mental Health -- has its own set of unique security demands. Some departments don't handle sensitive data, unlike those that manage legal or patient health records. And as laws surrounding regulatory compliance grow more complex, and the number of publicly disclosed breaches through lost notebook computers and USB-drives escalates, the county decided it would pursue a long-term strategy to effectively lock down all of its sensitive data.The first wave of these efforts got underway about a year ago, when the county encrypted the information on roughly 11,000 of its workers' laptops, across all departments. Once that phase was completed, Pittman and his team turned their sights to making certain that the removable storage devices used by those systems, as well as certain desktops, were also locked down.

"We started that initiative with the Department of Mental Health, because it is regulated by HIPAA," explains Pittman. Part of the Health Information Portability and Accountability Act requires organizations to keep patient health information private and secure. "The workers in the Department of Mental Health handle a lot of patient information in the field, so when they copy information to a CD, or a thumb drive, it must be encrypted," he says. "Not only does the information have to be encrypted, but we have to be able to demonstrate that it's encrypted."

For those capabilities, the county deployed three security applications from security software maker Safend called Auditor, Protector, and Reporter. Each of the applications, explains Pittman, work together to ensure that the security of removable storage devices is enforced. For instance, Safend Protector applies detailed security policies to removable storage devices, which range from having data encrypted to allowing or denying the use of specific USB drives.

Safend Protector, says Pittman, can monitor endpoints, identify which devices are being plugged into the notebook, and deny those that aren't specifically authorized for use. Those that are authorized will have all of the data they store automatically encrypted. The other two applications help L.A. County substantiate encryption levels of portable devices. Safend Auditor provides Pittman audit logs of all devices ever connected to endpoints, while Safend Reporter provides reporting and analysis on security incidents and operations status.

Safend Protector 3.3 costs $13 to $32 per seat, depending on the size of the organization, for a perpetual license. Safend Reporter costs $5 per seat. The county gets Auditor as part of its package; it is sold by blocks of seats and ranges from $700 to $5,000, the company said."We can enforce USB drive access down to specific serial numbers," Pittman says. "And for the first time we can now prove that a lost drive was securely encrypted and that all of that data was inaccessible."

While that's more control over removable storage devices than most companies have in place today, L.A. County isn't stopping there. The next and final phase of the County's ambitious drive to keep data secure will be putting so called "data leak" filters in place to stop confidential and regulated data from accidently spilling out through email or over the Web.