In Travis County, Texas, the government is made of up of many entities -- the five-member commissioners court that conducts most of the county's day-to-day business, as well as many independent offices, such as the county clerk, sheriff's office and various courts.
Shannon Clyde, the county's information security manager, says because of the county's decentralized structure, the divisions all used different data encryption tools and methods, making standardization and support extremely difficult. That created a real challenge for Clyde, who has been working to roll out a single set of information security policies and standards countywide.
"We need to drive consistent information handling practices, especially the consistent and appropriate use of encryption for sensitive county information," Clyde says. "The only way to do that was to standardize wherever possible."
Travis County's approach makes good sense, says Michael Spinney, senior privacy analyst with the Ponemon Institute, a security research group. In fact, a recent report on encryption by the institute found that more than 90 percent of organizations now believe that data protection is either a "very important" or "important" part of their risk management efforts, rising significantly from previous surveys.
"There was a point in time when device encryption may have been good enough, but that time has passed," Spinney says. "With devices getting so small, people becoming so mobile, electronic communications so pervasive and hackers becoming so good at what they do, encryption at the data level is a critical piece of the security solution."
Travis County has standardized on Cisco's IronPort Secure Email Bundle, which secures data sent by e-mail outside of the county's intranet. With this tool, county officials can safely transmit data outside of the county without worrying about loss of confidentiality, Clyde says.
The county is also piloting McAfee Endpoint Encryption, which helps secure data on PCs, notebooks, smartphones, removable media and portable USB storage devices. The next step will be finding a product that focuses on protecting sensitive data residing on servers within its data centers, Clyde says.
Garfield County, Colo., hasn't been as quick to adopt encryption, but IT director Charles Zelenka says it's a top priority for 2011.
"The combination of our budgetary pressures and the fast growth of the county has made it difficult to get it off the ground," Zelenka says.
The county already has implemented Sophos SafeGuard Enterprise, which provides comprehensive full-disk encryption for the county's 75 notebooks, used mainly by public defenders and caseworkers. Next up is a full-scale rollout of Sophos SafeGuard Enterprise, plus e-mail encryption. Although no product has yet been chosen, Zelenka says it's a top priority this year.
"Our human services department is really pushing us to get e-mail encryption, and we're going to do it this year," he says.
5 Data Encryption Tips
- Encrypt throughout the organization. Don't rely on encrypting data just at the department level, or just on one type of system. Make sure encryption is deployed consistently throughout the organization and across all e-mail and mobile device platforms used within the organization.
- Build in flexibility. Create policies for disabling access for any user quickly if the need should arise. That includes procedures for making sure data has not been copied to another device.
- Understand encryption's importance. Don't consider other forms of security, such as firewalls, as a substitute for data encryption.
- Be thorough. For data that will be transmitted electronically, make sure the technology you use incorporates some of the following: Secure Sockets Layer certificate for message encryption, PGP encryption to secure e-mails, a digital certificate to ensure data authentication and e-mail encryption for digitally signing electronic documents.
- Take new media seriously. Don't ignore the data encryption of new media, such as tablets and smartphones.