Viewpoint: WikiLeaks lessons for state and local governments
First, the good news: There were bigger fish to fry.
If not for the size and prominence of the federal bull’s-eye, state and local governments might well have been among the very first victims of WikiLeaks’ unauthorized disclosures. Make no mistake; local governments possess an abundance of enticing data targets (for example, sensitive records relating to health issues, personal and commercial finance, social services, corrections and legal proceedings). Inevitably, WikiLeaks or one of its successors will attempt to extract and disclose those assets, and perhaps the only chance to avoid the embarrassment, upheaval and genuine peril incited by the federal WikiLeaks debacle is to learn as much as possible from it.
State and local governments must not squander the opportunity to draw the proper conclusions and take the necessary precautions. And, they must move swiftly because given the strength, tenacity and diffusion of the WikiLeaks threat vector, bigger fish will quickly run out.
Perimeter? What perimeter?
Data security is an ongoing evolution: As systems and technologies change, so do their vulnerabilities. Over the past decade, the prevailing IT security model focused on the design and maintenance of an impregnable external perimeter (infrastructure security). But today, concepts like cloud computing and mobile Internet access have shattered that traditional paradigm. Now, protection of the data itself (information security) presents the best defensive strategy.
State and local government systems must learn to identify sensitive information as it moves through the network. When data stays stationary in a database, traditional perimeter protections are usually adequate. But when a file starts moving through an enterprise — or gets sent to a web client or a web server — the perimeter breaks down.
As the data moves, it must maintain protections and permissions commensurate with its level of sensitivity. Should one be able to copy that particular information to a removable storage device? Should that information be encrypted while in transit?
(Incidentally, encryption — the last line of data defense — is often all that separates a benign data loss scenario and a devastating one.) Data loss prevention tools can be configured to alert system operators to risky or unusual data paths and behaviors.
An inside job
The insider threat has become much more significant than the threat posed by outsiders — at least in terms of the potential for data loss or data breach. But what many state and local governments fail to consider is that there are two distinct categories of dangerous insider: malicious insiders (those who will intentionally extract data for personal gain, political embarrassment or other self-serving reasons) and well-meaning insiders (those who will unknowingly jeopardize the security of a data system by either misunderstanding or misapplying proper security protocol).
Information-centric security procedures are crucial for thwarting the malicious insider. But for the well-meaning variety, user training and education is critical. Security technologies simply cannot operate effectively without appropriate end-user behavior. Laptops and removable storage devices being taken off-premise, for example, creates a nearly insurmountable security gap, despite an organization’s most advanced technological safeguards.
The lesson is: True government security is a marriage of people, processes and technology.
Learn and live
So, what can state and local governments do today to protect their data?
1. Implement a sensitive data protection strategy to protect important information inside the perimeter and as it moves throughout the network.
2. Establish training, education and process controls to address threats posed by malicious and well-meaning insiders.
3. Stay vigilant in the search for new and emerging vulnerabilities that may develop within the enterprise.
We cannot stop all of the world’s cyber attacks. But, by following just these three basic suggestions, state and local government agencies can significantly reduce the threat of a WikiLeaks-style catastrophe.
Mike Maxwell is the national director of U.S. State & Local Government & Education for Mountain View, Calif.-based Symantec. He leads an organization that develops and supports Symantec information protection solutions for government and education initiatives, and can be reached at firstname.lastname@example.org.
What do you think? Tell us in the comment box below.