Data Protection Practices

2008 NSAA IT ConferenceNathan Abbott, TN

Joe Moore, AZ

Doug Peterson, NV

Agenda

• Introduction• Why? Our recent experiences• What? Technology solutions• How else?• Questions

Introduction

• Format for presentation• Individual introductions

Why has data protection become more important now?

Nevada

Why…

• Contractor with DMV:– Lost USB Flash drive– Contained names of 109 individuals

• University of Nevada, Reno professor lost a flash drive that contained the names and Social Security numbers of 16,000 incoming freshmen from 2001 to 2007current and former students

Why…

• DMV Audit– Prior to audit--Truck drives through front

of DMV building and steals computer. Contained personal information on 8,700 Nevada residents.

– Prior to audit--Planned to encrypt files and not store on computers

– Audit found information on desktops, laptops, zip drives, USB drives.

– Audit found process of removing personal information from computers didn’t always work as planned. Over 300 files, each with a person’s name, address, and SS#.

Arizona

Why…

• Arizona #1 in Identity Theft• Newspaper publishes “public”

information• Audit responsibilities require sensitive

data• Agency requests for agreements

– Encroachment on statutory authority

• Public relations nightmare

Tennessee

Why…

• Portable Media– Auditor was in car accident and lost their

thumbdrive

• Nashville Davidson County Election Commission Office– The office was broken into

Why…

Why…

• Nashville Davidson County Election Office• Office was broken into on

December 24, 2007• Break-in was not noticed until

December 27, 2007• Two Laptops were some of the

items that were missing

Why…

• It was standard practice for the office to tape to the machine user name and passwords.

• The laptops were using an access database that contained all register voters personal information including their SSN.

Why…

• The office was preparing for the primary election and was in the process of removing the SSN’s from the Access database.

• The street value of the stolen laptops was probably $600 total, but the incident is costing the city millions in Identity Theft Protection.

What solutions are we using?

Tennessee

Where Did We Start?

1. Researched available options

2. Evaluated software

3. Determined best option

TRUECRYPT VS ENTRUST

• TRUECRYPT– Partial disk

encryption– Passwords do not

sync– No vendor support– USB encryption– Encryption time 30-

40 minutes– Cost FREE

• ENTRUST– Full disk encryption– Passwords sync

with operating system

– Vendor Support – 1-800 number

– Removable media encryption

– Encryption time 4-8 hours

– Cost $130 per licence

Truecrypt Concerns

• File Restoration

• Key Management

• Administrative Support

• Removable Media Support

• Partial Disk Encryption

Why Did We Choose Truecrypt

• Strategic Plan– Our purpose is to serve the people of

Tennessee by Enhancing effective public policy decisions at all levels of government

• 47-18-2107 TCA Release of personal consumer information– …Unauthorized acquisition of

unencrypted computerized data…

Truecrypt Harddrive Setup

Truecrypt Harddrive Setup

Truecrypt USB Setup

Truecrypt USB Setup

Arizona

What?

• Statutes• Drive Crypt Plus Pack

(DCCP)• Ironkey• VPN and Tokens• Winzip

Statutes

• Provide broad access to information– Authorized to review confidential records

without limitation– Agencies required to provide records

• Working papers and audit files are not public information

• Audit exclusions for other Acts, such as HIPPA, FERPA

DCPP

• Whole disk encryption (partition based)

• Boot protection• Pre-Boot authentication• Sector level protection• Administrator / user specific rights• Transparent to users• Minimal administration and user

training

DCPP

DCPP

DCPP

DCPP

DCPP

DCPP

DCPP

DCPP

Ironkey

• Always-on military grade data encryption

• No software or drivers to install

• Easy to deploy and use

• Ability to create and manage enforceable policies

• Unique serial numbers

Ironkey

Ironkey

Ironkey

Ironkey

Ironkey

Ironkey

Ironkey

Ironkey

Ironkey

Ironkey

Remote Access via VPN and Tokens

WinZip

Nevada

What Technology We Use

• Truecrypt• EFS (windows built in encryption)• Lexar USB drives with encryption

software• Whole disk encryption on Dell laptops

using Wave Embassy Security Center software and hard drive-based encryption

EFS

Advantages:– Free– Easy to implement– 256-bit AES– Easy to backup to network drive (registry

tweak needed to decrypt data as it is copied to network drive)

– Set and forget...sort of

EFS

Disadvantages:– No additional password– Folder based. Auditors can save in

unencrypted folders– 256-bit AES not used in Pre-XP SP1– Certificate expired and some auditors

could not get access to data for a day

Windows Encryption File System (EFS)

Lexar Secure II

Advantages:• Free• Known encryption (AES 256)

Disadvantages:• Not easy for auditors to remember

setup• Uses Vaults—auditors use

unencrypted area

Secure II for USB Drives

Wave Embassy

• Whole Disk Encryption (hardware based on Dell Latitude, HP, Lenovo)

• Wave Embassy suite is the software front end to where the real work is done—hardware-based encryption

• Used in conjunction with TPM chip

Wave Embassy

Advantages:• 128-bit AES (not as strong as 256-bit

key, but still strong)• Multiple passwords (pre-boot

authentication)• Works with biometrics

Wave Embassy

Disadvantages• Complex to set up (including BIOS

settings)• Multiple passwords• Need to have a Seagate Momentus

FDE.2 HDD which runs at 5400 rpm

Wave Embassy Security Center

Wave Embassy

Wave Embassy

Wave Embassy

Wave Embassy

How else are we addressing it?

Nevada

Statutes and Policies• Statutes

– NRS 218.870 (“All working papers from an audit are confidential…”)

• Policies– Reinforce and support statutes– Detailed

• Extreme care to ensure confidentialy of information “gained” during audits (more than what is in workpapers)

• Careful with discussions

How…Guidance to Staff

Training• One on one with each person

– Lexar– Wave Embassy

• Periodic staff training– Reinforce statutes– What is confidential, what is not– Examples shown

• Management meetings allow supervisors to reinforce policies and importance

Tennessee

How…Our Policies

• Backup Volume Header– Allows users to restore encryption to

original installation.

• Create an Admin Password– This is to be used in the event someone

forgets their password.

How…Our Policies (Cont.)

• Created standard passwords for users– This is used to ensure password

complexity

• Created standard login procedures– This is used to help the auditors to be

consistent when they login

How…Our Policies (Cont.)

• Removable Media– This policy is to make it clear that

personal thumbdrives are not be used to store confidential data

• Storage of Files– This policy is to make it clear where you

needed to store confidential data

How…Our Policies (Cont.)

• Enforcement– Once a year have security awareness

training– Periodic emails to staff reminding them of

the encryption policies– Unannounced Random Sample

How…Problems

• Auditors were confused about which password to use to log-on to their workstation

• Thumbdrives

• Auditors do not like using passwords for thumbdrives

Arizona

How…

• Policy• Communicate to auditee/entity

common information• Statutory authority• Security of confidential records• Auditor General policies

– Internet Use and Email acceptable use agreements

– IT policy with address data security– Acknowledgement of state policy

How…

• Determine whether information is confidential or public (may be more restrictive than public records law)

• Confidential– Personal information

• Info which can identify a person

– Sensitive information• Info which may be harmful to the state and its

citizens

• Public information

How…

• Then, ensure that appropriate security measures are applied based on classification of data

• Confidential– Encryption and/or restrictive physical

and/or logical access rights• Store on Office network or encrypted flash

drives• Return original data or store securely

– Never copy confidential data to home computer

How…

– If remote, use VPN and use remote sessions

– Limit access rights on network drives– Use restricted views and coding

techniques for data stored in databases– Determine whether or how much

confidential information must be included in audit documentation

How…

• Use encryption when storing on external storage media (HDs, CDs)– Use secure passwords/phrases

» Minimum of 8 characters» Upper/lower case» Special characters

• Store passwords/phrases securely

• Public Information• No special security precautions• Adhere to professional standards and Office

policy• Can be stored in shared directories

How?

• Document classification assessment and subsequent actions taken

• Archiving and Disposition– Keep only as long as necessary or

required– Ensure confidential data is protected

when archived– Let others involved know about the

confidential nature of the data stored

Questions

Nathan Abbott; Nathan.Abbott@state.tn.us

Joe Moore; jmoore@azauditor.gov

Doug Peterson; dpeterson@lcb.state.nv.us