Questions raised by the VA system theft

For those that have not been in IT for very long, you will not notice that we have almost come full circle. In fact, in some cases, we have come full circle and are starting over again. With that being said, the theft of data from the Department of Veterans Affairs raises a whole mess of issues. And I do mean a mess, because it points at some diametrically opposite ideals that have to be addressed and recognized and either accepted or rejected, but that will lead to consequences no matter what course is taken because they are almost mutually exclusive.

To begin, let us take the simple issue of access. Almost since the first operator signed on to one of these machines and screwed something up that he (almost always was a he) was not supposed to, we have had some form of access control. Usually, this is in the form of user name and password. As time went on, the requirement for complexity and frequency of change increased, but we still had a user name and password. Still more time passed and the issue of multi-factor authentication became the vogue way to log onto the system, whether it was token based or biometric. As operations became more and more complicated, access and access controls too became more complicated and in some ways more sophisticated. Of course the user population grew and managing authentication and access became a full time job.

Enter the Internet, modems and broadband access. All three of these resulted in a train wreck of access issues. Everyone, in theory, could now access their data from anywhere, also in theory, if the access controls were properly established. Millions and millions of dollars were poured into remote access methods to allow the right people in and keep the wrong people out. Some companies encouraged their employees to work-at-home, while others did not openly encourage it, they did make it possible for it to occur. One of the biggest corporations, the United States Federal Government, continues to wrestle with this issue.

Along comes a natural disaster. Take your pick there are dozens to choose from. Each one spurs some group of people to think about continuity of operations or how to keep things going when bad things happen. Suddenly, companies were taking their data centers and copying them, either as an active or passive back-up site, somewhere that was safer than the current location and usually a significant distance away from any of the users, operators or maintainers of the systems, meaning more remote access and controls.

Now, we have the fear of a pandemic. Planning estimates are that upwards of 30% of your staff will be unavailable- whether this is because of being sick (or dead) or having to care for someone who is sick (or making arrangements) or being in a quarantine zone. Essentially, their butt will not be in the chair they normally occupy, but they are capable of working, just not coming to work. This is something that scares those continuity people, so they demand yet more people be able to remotely access the corporate systems. I expect there will be big business done in this over the next 12 - 18 months.

Suddenly, a laptop is stolen from the house of a VA employee who downloaded millions of records to work on them from home. Say what you will, there are implications here. 1) While the VA employee did violate policy (a written document that he or she probably did not even know about), the individual was authorized to have access to the information. 2) They had been issued a laptop, presumably so that they could do work at home. 3) This is not an unusual case, either within the government or within corporate America.

While chaos is ensuing around Washington, we all need to take a deep breath and ask some hard questions:

1) Since the employee was doing work, why was encryption on the desktop not standard? In short, because most single disk encryption schemes require that the employee know a password. How many times have you forgotten your password? How much data might be lost when this happens? OK, so suppose you have a key escrow policy in place (something that the Federal Government has been working on for years I might add with little or no success, except within highly segmented pockets of technological brilliance). Key escrows are nice fuzzy things for management - it means that someone can loose the password (or get hit by a bus) and the data is, in theory, recoverable. Key escrows are a nightmare to manage, require complex webs of trust and a team of skilled and trusted engineers to implement and maintain.

2) Suppose the employee was working at home on their own machine? This becomes one of the biggest sticking points in the whole remote access debate. Regardless of who you work for, this is discussed until it is dead because there are no easy answers.

First issue - who ensures the machine can connect to the corporate system? In a large number of cases, the home PC is incapable of connecting because of limitations of software or operating system. Just because the corporate standard is Windows, I might use a Mac at home.
Second issue - who ensures that the machine is clean? Most home machines are unpatched and unprotected. This is a fact of life, but you do not want to spread the love around your pristine corporate environment.
Third issue - who is responsible for tech support? Most users who have to do remote access are not technical. They are accountants, marketing people, executives. The are not IT. So who is going to provide them with the support they need when something breaks?
Fourth issue - do you provide each employee with a machine if they need to access the corporate systems? This is a solution that many companies have undertaken, but it is hardly an inexpensive one. It makes some of the initial questions easier to answer, but places a great burden on the IT staff, especially from a tracking standpoint.
Fifth issue - how do you ensure the data being accessed is secured on the remote system. The short answer is you almost cannot. Hook a printer up and the data escapes (and not allowing people to print is the most draconian of methods of security I have ever been involved in). Of course, if you have a pencil and paper, there really is no foolproof way to secure the data, but a pencil is a lot slower than a hard drive.
Sixth issue - if you designate only a percentage of your population as having a need to remotely access the systems, which manages the access controls and some of the technical issues, what do you do when someone needs that access and cannot get it or be given it? Especially in a continuity of operations scenario.

3) Data management and control is difficult at the best of times. With a few exceptions, there has been very little work done in the field of data integrity. Sure I can tell when someone pulled data and if I try hard enough from what tables, but let us be honest. If the employee had access to the system, then they had access to the data and I really do not care what they pulled. Nor do I really have time to be sorting through the thousands of log files or writing custom scripts or sitting watching a monitor. There is enough to deal with keeping the bad guys out of the system. If we have to start monitoring the good guys activities as well, we are sunk.

The issues surrounding the VA have raised all kinds of awareness and focus. Now we have to keep our eye on the ball and not implement any knee jerk reaction that will only make it harder for the authorized user to get their work done. After all, if you make security difficult for the user, they will either work around it or use it as an excuse not to do the work. In either case, the end result is the same.