Upload
techdude
View
646
Download
3
Embed Size (px)
DESCRIPTION
Citation preview
1
VA Office of Information and Technology
Matt Canavan – VA Director of Client Services -Enterprise Infrastructure Engineering
October 23, 2008
210/23/2008
Balance of Information Protection VA Proactive Measures Technical Controls Integrated Technical Solutions Removable Media and Storage Mobile Devices Network Transmissions Remote Access Email and Document s/Digital Rights Management Conclusion
Agenda
Achieving the Gold Standard In Data Security
310/23/2008
Info Access Info Restriction
Clinical Care Research collaborations Training Programs Quality improvement
Federal law Congress OMB Veterans groups Public distrust Litigation
Information Security Tipping Point
Finding the Right Balance!
410/23/2008
VA Proactive Measures for Information Protection and Privacy Protection
NSOC Training Human Resources Standard Operating
Procedures
Policy Directives Memoranda Governance EA Integration
Removable Media & Storage Mobile Devices Network Transmissions Secure Remote Access Email and Documents Digital Rights Management Laptop Encryption
Management Controls
Operational Controls
Technical Controls
Operational Controls
Enforcement & Continuous Monitoring
510/23/2008
Technical Controls – A few Highlights
Encrypted most VA laptops (some cannot be encrypted) Issued approximately 12,000 encrypted thumb drives across the
Department Issued approximately 143,000 PKI certificates Secure and encrypted file and email software being deployed Mobile device standardization in progress
Minimum device requirements will enable devices to support VA security policies – content protection, scanning, and patching
Encrypted network transmissions and port security software being deployed
Iron Port Appliance - June 1, 2007 through September 30, 2008, the Iron Port email appliances have stopped 72,206 emails that included a Social Security Number pattern – 99.9% Accuracy Rate Future – Provide encrypted email for all veterans - encrypt the
email messages prior to sending. Can include other filters – HIPAA… etc.
Layered Approach to Comprehensive Information Protection of VA Sensitive Data
610/23/2008 6
Removable Media and Storage
Actively Deploying technology – Enterprise, Standards, and create Policy
Only VA authorized removable storage media Restrict the transfer of information to removable storage mediaThwart introduction of malicious code via removable storage media
VA Handbook 6500 requires encrypted USB Thumb Drives Only FIPS 140-2 certified permitted
Current Status
Management of Removable Media
and Storage
Removable Media and Storage
(CD, thumb drives) Strategy
710/23/2008 7
Mobile Devices
Blackberry encryption implemented Standardize Operational and Support components and refreshing older devices
Encryption of data/password protectionConverge Blackberry and Smart Phone Operations and SupportOnly government owned devices permitted
Establish minimum device requirements Only FIPS 140-2 certified permitted Security parameters established by VA Directive 6500
Current Status
Management of Mobile Devices
Mobile DeviceStrategy
810/23/2008 8
Network Transmissions
Standardize terminal emulator for the DepartmentEliminate Transmission in clear textEnterprise deployment is September 2008
Prevent User ID, passwords and data from being transmitted in clear textHelp VA meet HIPAA, FISMA complianceResolving telnet and secure file transfer issue.Stop transmission of SSNs outside VA network
Only FIPS 140-2 Certified PermittedSupports PKI infrastructure and smartcard devices for HSPD-12Standardize on dominant application software
Network Transmissions Strategy
Management ofNetwork Transmissions
Current Status
910/23/2008 9
Remote Access
RESCUE GFE – full deployment by July 2008Additional technology being analyzed to control remote access restrictionsRESCUE OE – full deployment by July 2008
Remote Access Strategy
Management of Remote Access
Current Status
RESCUE* project will scan all systems connecting via VPN – currently in testReduce VPN connections through Outlook web access and other secure access methods
* Remote Enterprise Security Compliance Update Environment (RESCUE)
Handbook 6500VPN access restricted to valid users and systemsRestrict access to limited number of system – especially contract staff
*Government Furnish Equipment (GFE)*Other Equipment (OE)
1010/23/2008 10
Deployment Microsoft RMS* complete – 150K+ clientsBlackberry ProtectionInstalling redundant/contingency hardwarePublic Key Infrastructure – approx. 143,000 certs issued
Encrypt sensitive content (PKI and RMS*)Protect inside and outside the trusted networkProtect emails and documents during and after deliveryFlexibility– RMS more flexible, compliments PKIRestrict document and email distribution,
storage capabilities and printing capabilitiesAllows organizations to track the informationSupports smartcard authenticationIron Port Appliance – Stops 99.9 % of SSNs in email from leaving the VA network
Digital Rights Management
Email and Documents Strategy
Management ofEmail and Documents
Current Status
*Rights Management Services (RMS)
1110/23/2008
VA is thoroughly examining every aspect of our information protection program to ensure that sensitive information, primarily Personally Identifiable Information (PII) and Personal Health Information (PHI), is neither mismanaged nor used for any unauthorized purpose.
“Sensitive Information must be in a protective environment at all times or it must be encrypted”
VA Handbook 6500
Conclusion
12
“Using Technology to Protect Privacy”
Presentation of Ned GoldbergChief Information Security Officer and Associate Director
FDIC Division of Information TechnologyOctober 23, 2008
Agenda
Background Privacy/Security Protection Efforts Privacy Protecting Technologies
Protecting sensitive data in transit – electronic and paper
Data loss prevention (DLP) technologies
FDIC is an independent agency created by Congress that maintains the stability and public confidence in the nation’s
financial system by insuring deposits, examining and supervising financial institutions, and managing receiverships.
Throughout the FDIC’s 75-year history, no one has ever lost a penny of insured deposits as a result of a bank failure.
Background
Background continued
FDIC maintains millions of sensitive paper and electronic records on bank customers and employees, due to:
Examination and Supervisory activities: FDIC monitors over 5,000 banks – more than half of the institutions in the banking system – for safety and soundness. (VISION, SOURCE, SIMS)
Bank Closings and Receiverships: FDIC performs numerous pre-closing, closing, and post-closing activities that include claims processing, asset marketing, and deploying teams of FDIC staff and IT resources to closing sites. Fifteen banks closed in 2008. (4C, RLS, CAS)
HR/Personnel activities: FDIC has nearly 4,700 employees located in Washington DC and 6 regional offices across the country and is headed by a Board of Directors. (CHRIS HR, NFE)
Indymac Bank closing alone involved nearly
20 terabytes of data!
Background continued
New web-based effort helps insured depositors know if they’re protected:
Background continued
Key drivers behind FDIC’s privacy and security protection efforts:
Compliance requirements stemming from range of Federal privacy and security laws, regulations and related OMB guidance.
Internal and external audit (OIG, GAO) recommendations. Goal of meeting/exceeding banking sector
standards/best practices. Needs of a highly mobile examination
and bank closing work force, who depend on laptops and instant access to large amounts of sensitive data.
Significant electronic and paper data stores and sharing = ongoing concern about potential for data loss and identify theft.
Public expects FDIC to be aresponsible steward of their data.Insured depositors can’t opt-out!
Privacy/Security Protection Efforts
FDIC’s risk-based strategy for protecting sensitive data includes array of management, technical and operational controls:
FDIC Directives aimed at protecting sensitive information in paper or electronic form.
Comprehensive security and privacy management programs and guiding frameworks.
Continuous monitoring of threats to network and sensitive data.
Incident management and response plan. Privacy/security requirements baked into system development
lifecycle (SDLC) process and contracting process. Continuous assessment of new and existing agency programs
and IT systems and applications for privacy/security risks. Use of rights management (Windows Active Directory). Mandatory awareness training for all employees and
contractors.– 2008 Privacy Awareness Week
Privacy/Security Protection Efforts continued
Protecting sensitive electronic data in transit: FDIC is a small agency with significant electronic
data stores:• By one estimate, over 10 times the electronic data than
all the printed books and documents in the Library of Congress.
Engaged in continuous sharing of sensitive data between FDIC regional and headquarter offices; between FDIC and insured banks; and between FDIC and other federal financial regulators and state banking authorities.
Highly mobile workforce requires instant access to sensitive data both electronic and paper form:
• nearly 1,400 bank examiners in the field; bank closing teams.
Privacy Protecting Technologies
100% of FDIC laptopsencrypted (Pointsec)
End to end and local dataencryption enabled on all Blackberries
Encryption of portable storagemedia (USB, CD/DVD) available from all FDICdesktops and laptops(Pointsec/Roxio)
Entrust PKI encryptionsoftware available for emailand data files
PKZIP software available forencrypting data files to beshared external to FDIC
Established with mostfederal regulatory and state banking authorities that FDIC communicates with on a regularbasis. Current methodsinclude:
Transport Layer Security (TLS/ZixCorp)
Encrypted dedicated lines
VPN
RCN via FDIC’s Extranet
FDICconnect: securewebsite for conducting e-commerce with FDIC
Soft token
Extranet: allows B2Bcommunications between
FDIC and authorized business partners or individuals
Encryption
Authentication
User certificates
Provides a secure method for accessing the FDIC network fromremote sites. Requires use of token (generates one-time password) andPIN number.
VPN Citrix
Encryption Secure Email
Communication Links
Secure web sites Secure remote access
Protecting sensitive electronic data in transit:
Privacy Protecting Technologies cont.
Protecting sensitive paper data in transit and in store:
FDIC has significant stores and shipments of paper records containing sensitive information/PII:
• For example, FDIC records at Iron Mountain take up 2.4 million cubic square feet of space, making the agency one of its biggest customers. Additionally, thousands of paper records are stored at FDIC facilities across the country.
• Extensive shipment of paper records each month due to examination, bank closing and other mission critical activities (4,000 shipments each month).
FDIC UPS Quantum View: Due to experience with small number of lost boxes containing sensitive bank data, identified and deployed new system that provides automated, web based tracking of express mail shipments containing sensitive data. System sends alerts when a package is lost or damaged during shipment.
Privacy walk-throughs – on-going self assessment program that involves unannounced visits by privacy staff at all headquarter and regional offices to identify potential issues with protecting sensitive paper and electronic records stored in file cabinets and on electronic media (e.g., CD-roms).
Privacy Protecting Technologies cont.
Protecting against sensitive data leakages: DLP Data loss prevention (DLP): new wave of technologies and tools
designed to detect and prevent the unauthorized transmission of sensitive information.
Software monitors the flow of sensitive information across the corporate network, including data in motion to internal and external sources, and both structured and unstructured data at rest.
• Identifies potential security concerns with transmitting PII and business sensitive information.
• Involves a rules based engine that can identify, flag, notify sender or stop transmission.
FDIC acquired a DLP solution in 2007 in response to OMB M-06-16 and M-07-16. Requires agencies to take concrete steps to identify and protect sensitive data.
Selected Vontu after review of top 3 DLP vendors in market based on Gartner. Decision based on price, flexibility, fit with our infrastructure, scalability.
Steps involved: Architect; purchase solution; configure and build solution; deploy solution; and transition to operational status.
Privacy Protecting Technologies cont.
FDIC’s DLP program currently is focused on:
Social Security Numbers: finding and responding to any instances of unauthorized exposure and transmission of Social Security Numbers (SSNs) that could result in harm to an individual, FDIC employee, or the Corporation.
• Performing baseline scanning of network for any unencrypted outbound email/web traffic that contains SSNs (ability to scan for 27 other “policy families” including GLBA, HIPAA).
• Scanning of Windows Servers to find any instances of SSNs sitting on a file share that is open to any FDIC user.
Alerting FDIC employees about potential data leakages. Managing incidents, including reporting to CSIRT and US
CERT. Developing awareness campaign in preparation for full
implementation.
Privacy Protecting Technologies cont.
Full deployment of DLP will enable FDIC to:
Initiate “active blocking”: provides ability to move beyond detection and monitoring and actually prevent unauthorized transmissions of sensitive data, including SSNs/PII, that can occur through outbound email traffic or web browsing.
Send automated email notifications to employees, alerting them of potential policy violation -- thereby reducing remediation overhead requirements and risk.
User release optional; forced encryption optional.
Ability to automatically hold messages and only release them when approved by the user or a manager.
Privacy Protecting Technologies cont.
Additional DLP solution on the horizon to protect structured data:
OMB M-06-16 (bullet 4) requires agencies to monitor extractions from enterprise databases.
Requirement is to provide transparency and accountability by monitoring the user request for PII information at the database level in a multi-tiered application (web server, business logic, and data repository).
FDIC has selected the Guardium technology that has both an agent resident with the database and a network observation appliance that permits the product to link the user requests to the database fields.
The product also provides integration into and auditing of PeopleSoft, Oracle, and SAP.
Privacy Protecting Technologies cont.
9 things to consider when launching DLP tools:
1. Cost of appliances and services.2. Technical staff and time to configure
and operate system.3. Determining information to flag
(SSNs, other sensitive data) and threshold levels.
4. Identifying and training “data monitors” on how to use the tools.
5. Staff and process for handling increased number of incidents.
6. Performing policy and privacy reviews:
• Acceptable Use Policy and computer log-in consent.• Privacy Threshold Analysis, Privacy Impact Assessment and
Privacy Act System of Records.
7. Performing notifications/awareness:• Legal/HR/Union/Senior Management• Awareness campaign
8. Integrating with incident response processes (FDIC Privacy Incident Response Team and CSIRT).
9. The same tools can’t go backwards – can’t be used for forensics.
Privacy Protecting Technologies cont.
Final thoughts about DLP… Can have the best policies, procedures, and technologies in
place – people will still make mistakes. DLP can help protect people from accidentally leaking
sensitive data that could pose the risk of identify theft and serious disciplinary actions.
Based on research (e.g., The Hartford) and own experience to date, once people know that the tools are out there, see an immediate impact/drop in issues (even at the result of a phone call!). DLP increases awareness among employees, who don’t realize they’re doing something wrong (e.g., attempting to send unencrypted emails with sensitive agency information).
In the event of worse case scenario, the incident is known almost immediately, so that appropriate reporting and breach management can occur.
eServices: Navigating Disclosure Issues
Presented to the Federal Privacy SummitOctober 23, 2008
Merging Heritage & Horizon at the Social Security Administration
Steve KautschAssociate Commissioner for Systems Electronic Services,Office of Systems
0101010101010101010101010101010101010
eService Timeline
SocialSecurity.Gov
is la
unched
First online eServicePersonal Earnings and Benefit Estimate Statement(mailed PEBES)
iRIB
retirement
applicatio
n
Online wage reporting
800# interactiv
e
voice response
From it’s inception, Privacy considerations have shaped the programWe provide 18 Internet and automated 800# eServices for the
1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 20072006
1 milli
onth
email inquiry
1 millionth online retirement claim
VA laptop stolen
PEBES
Taken
Down
Key Privacy Principles
• Right of individuals to easily access their records that are held by others, and
• Obligation of record holders to protect personal information from unauthorized and improper disclosure
SSA’s eServices Program Objectives
1) Fulfill the rapidly growing expectation for convenient, effective and secure electronic service delivery options for the public and our business partners; and
2) Provide better service to all our clients by offsetting projected workload growth as the baby boomers reach their retirement and disability prone years.
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
0
500
1,000
1,500
2,000
2,500
3,000
3,500
4,000
Insured Individuals (Non-Disabled) Reaching Age 63 (Average Retired Worker Entitlement Age) in 2000
Through 2030
Th
ou
san
ds o
f In
div
idu
als
Born 1946-- Start of Baby Boom
Born 1965-- End of
Baby Boom
The Silver Tsunami
Source: Social Security Office of the Actuary
Challenges We Face
• 80 million Boomers will reach their disability prone years and retirement age, over the next two decades; about 10 thousand per day
• Retirement claims will increase by 40% and disability claims by 10% over the next decade
• Disability claims are SSA’s largest operational workload
• 40% SSA employees will be retirement eligible by 2010
34
Baby Boomers OnlineThe number of Internet users age 55+ is roughly the same as those who are aged 18 to 34.
There are 78 million baby boomers—roughly three times the number of teenagers—and most of them are Internet users who learned computer skills in the workplace (NY Times, 9/12/07).
Security ThreatsSoftware• Malware: Worms, Trojans, Rootkits, Logic
bomb, Persistent-Bots, spyware, etc. • Spoofing and Masquerade• Spamming• Missing security patches• Web application security exploits i.e.
SQL injection • Key-logging
Security ThreatsHardware• Key-logging• USB thumb drives• Web-Architecture• Lost laptops/BlackberriesPhysical• Shoulder surfing• Insider attacks (employees)• Social Engineering
Architectural Safeguards
• Robust Internet Architecture: DMZ/Firewalls
• State of the art Application Authentication and Authorization (ACU)
• Communication over SSL/TLS• Data from US-CERT (United States
Computer Emergency Readiness Team)• National Vulnerabilities Database (NVD) –
15,000 vulnerabilities catalogued • Penetration testing• Intrusion detection
Internet Project Life Cycle
• Business Risk Assessment• Project-specific Risk Assessment• Security Risk Assessment• Authentication Risk Assessment• Privacy Impact Assessment
AuthenticationTo securely move work online, we must be
able to remotely determine the user really is who they claim to be.
E-Authentication consists of 3 steps:– Registration with identitiy proofing– Issuing of credentials– Authenticating the credential
OMB/NIST Guidance:– Level 1: Little or no authentication required– Level 2: Some assurance required– Level 3: High level of assurance required– Level 4: Absolute certainty required
Authentication Challenges
Level 2:• Knowledge-Based Authentication• PIN/Password• Federated model: E-Authentication
Pilot
Level 3:• Two-Factor Authentication
Risk Mitigation Features
Risk Mitigation Strategies
• Privacy Expert Consultations• External Stakeholder Involvement• Congressional Briefings• Social Security Advisory Board• National Academies of Sciences
Report
Closing Thought
“…even though SSA came under criticism for making personal information available on the Internet, the agency was attempting to uphold one of the most important privacy principles - the right of individuals to get access to their own records held by others, to ensure that the information is accurate and complete, and to make corrections if necessary. In the area of Social Security contributions, this is particularly important for American taxpayers. Privacy laws are not just about restricting access to personal information. They also require that organizations in possession of personal information make sure that the individuals to whom the information relates are able to get access to their data easily and cheaply. If SSA is to be faulted, it should not be for their effort to make the PEBES more readily available.”
Marc Rotenberg, Executive Director, Electronic Privacy Information Center, Testimony before the House Committee on Ways and Means, Subcommittee on Social Security, 1997