Deconstructing the VA debacle.
[Bloggiste note: I originally lost most of this post in a deadly combination of senior moment and really short session timeout. So now I’m faced with reconstructing my deconstruction. Soon I’ll work up to mixing antipasto with penne, and then all hell will break loose.)
The Office of the Inspector General’s report on the VA laptop theft is a doozy. It contains a lot of valuable lessons for those who can see beyond what most people are focusing on: the lack of disk encryption.
The employee explained that much of the data that he had stored on the stolen external hard drive was for his “fascination project” that he self-initiated and worked on at home during his own time. Because of past criticism on the reliability of the National Survey of Veterans, his project focused on identifying approximately 7,000 veterans who participated in the 2001 survey, in order to compare the accuracy of their responses with information VA already had on file. He began the project in 2003, but could not recall spending time working on it during 2006.
First off, the employee took this data home to work on his own project, about which his management knew nothing. This points to a serious lack of communication and supervision on their parts. But notice also that he was schlepping this data around for THREE YEARS. Did no one take a look at his laptop or external hard drive in all that time? Did they even have a refresh cycle, and if so, what was it?
To conduct this project, the employee took home vast amounts of VA data and loaded it on an external hard drive. The stolen laptop did not contain VA data.
I have no idea at all why this is supposed to be even worth differentiating. See below.
While the employee stored the laptop and the external hard drive in separate areas of the house, he acknowledged that he took security of the data for granted.
Now, this is amusing. Just where did he store the two so that he felt that this improved security? Did he store one of them under a mattress?
This is something that executives STILL don’t get: whenever you allow mobile devices or remote access, you are relying upon the security of wherever those endpoints happen to be. You’re relying on the physical security of hundreds of employees’ homes, the security at Starbucks, the security at the Paris Hilton (sorry, couldn’t resist; it’ll up my Weird Google Hit Quotient), the security at the airport kiosks, and anywhere else your users happen to be—all at once. In other words, you’re relying on the security of the USER, not the device they’re using. Your perimeter is no longer a shield wall; it’s a blob of Jell-O.
As I’ve said before, our information has turned to water, and it’s flowing everywhere. Another problem is that a lot of web-based applications act like sprinklers.
Let’s look now at the chain of reporting events ...
Click to read MORE...Posted by shrdlu on Sunday, August 20, 2006
(3) Comments • Permalink •
