- Contact the Committee

Testimony to the U.S. House of Representatives
Committee on Veterans Affairs
Information Security at the Department of Veterans Affairs
Dennis Hoffman
Vice President of Information Security
EMC Corporation
May 25, 2006
 

Mr. Chairman, thank you for the opportunity to testify before the House Committee on Veterans Affairs. EMC is the world’s leading provider of technology that allows organizations of all sizes to store, manage, protect, and secure their most critical asset: their information. We invest more than $1 billion annually ($1.2 billion this year) in research and development to innovate technology solutions that allow enterprises to manage, store, protect, and secure their growing volumes of information; from its creation, to its ultimate disposal, helping them efficiently, and securely, gain the maximum value from their information throughout its lifecycle.

I am Dennis Hoffman, Vice President of Information Security at EMC Corporation. Data breaches are happening at an alarming rate. Last year, at least 23 million—or about one in nine—Americans received notification of a data security breach.1 The Department of Veterans Affairs is not alone. Organizations—from government entities to commercial enterprises—all face this problem. Despite the media’s focus on breaches involving personal information, the problem is not limited to this type of information. Organizations create many types of sensitive or mission critical information; many government agencies’ and commercial businesses’ primary product is information, which they cannot afford to be compromised.

Despite massive investments in security technologies, few organizations today in the private sector feel their data are secure because the majority of today’s security solutions protect networks, data centers, and resources, but not information itself. The historic threat of external hackers has driven IT professionals to take a “perimeter security” approach to securing sensitive information.

The fundamental issue with this approach is that while these are necessary investments, they are not complete and do not solve the problem. Commercial enterprises spent more than $6 billion on security software last year.2 Despite that investment, 82 percent of commercial enterprises do not feel their data are secure or “adequately protected”.3

Even though the nature of security threats is changing, the majority of enterprise data security spending is still “perimeter-centric”—aiming to protect the network perimeter from outside threats. Two-thirds of hardware and software spending last year was on perimeter-focused technologies such as firewalls, virtual private networks, intrusion protection systems, antivirus, and anti-malware.4

The problem, however, is that none of these technologies protects data; they protect the IT infrastructure. None would have prevented the compromise of veterans’ data from this breach. For example, if a laptop or similar device were stolen, it is likely the laptop would have some sort of antivirus software—the largest security software market today—installed. However, this software would do nothing to protect the sensitive information stored on the laptop. Technology exists today, which is used by the National Security oversight committees in The Congress that would render specific information on the laptop unusable. Erecting perimeters ignores the fact that in order to have value, information moves throughout or between organizations. Once your information moves (accessed, downloaded, e-mailed, printed, etc.) outside secure perimeters, it is left unprotected.

Additionally, a perimeter security approach ignores the fact that often the threat exists inside the perimeter. A comprehensive approach is needed that secures the information, as well as the IT infrastructure. Thus, information security has increasingly become an information management issue.

IT professionals are realizing that the internal threat is the more detrimental. 70 percent of security incidents that cause monetary loss to enterprises involve insiders.5 The internal threat may be malicious—such as a criminal stealing credit card data, or it may very well be inadvertent—a human resources worker e-mailing sensitive employee health data outside the company by accident. Internal threats are magnified by the fact that we are an increasingly mobile workforce. Today, nearly a quarter of the world’s online workforce works “remotely”. Given that workers take their laptops (often containing sensitive material) to work and home again, it is only a matter of time before sensitive data become exposed.

Threats today come from both likely and unlikely sources. While it is necessary to defend against sophisticated hackers who are deft at exploiting vulnerabilities in a system, it is equally important to understand the inherent danger from traditional threats. Media accounts of the data loss at the VA state that the individual responsible was likely not part of an elaborate scheme to steal millions of Social Security numbers, but rather, was the victim of a simple burglary. However, with no security attributable to the data on the laptop, the possibility for fraud becomes a high value alternative to just selling the device.

This event speaks to a wider information security problem. Organizations often 1) cannot distinguish whether data are sensitive or not, 2) do not know where their sensitive data reside, 3) do not enforce security policies around those sensitive data, and 4) are not able to prove compliance with those policies.

In this breach, the data in question may have been exported from a database. While the database itself was probably “locked down” with all of the appropriate access controls, once the names and Social Security numbers are exported into a file, the controls associated with the database become irrelevant. An Excel spreadsheet, for example, could be stored or moved anywhere: on an insecure file share, employee laptop, or e-mailed outside of the organization. Sensitive data such as these often propagate throughout (and beyond) a network as they are saved, replicated, accessed, e-mailed, manipulated, and resaved. Moreover, as the file moves and is saved in various locations, the organization has no knowledge of what information is contained therein, and whether it is sensitive.

While the VA has a security policy that forbids sensitive data from leaving the premises, the policy was unenforceable. Similarly, many commercial organizations have reams of paper-based business and security policies that rarely see the light of day. Not only are they rarely enforced in some automated fashion, but they are often not effectively communicated to an organization’s employee base.

Finally, many organizations do not have a way to prove compliance with the policies they have established. This is detrimental for two reasons: 1) policy violations are not detectable in real time to enable corrective action; and 2) they are not able to demonstrate (to internal or external auditors) the effectiveness of the security in place.

Thus, how do we solve the problem of protecting data as opposed to protecting the IT infrastructure? The solution to this problem lies in people, processes, and technology, where technology is actually the minor piece. It is important to note that there is no single threaded solution or technology “silver bullet”, and to prescribe one would be a mistake.

There must be a fundamental shift in our approach to information security. The focus—rather than being “perimeter” or “network” centric, should be “information” centric. It should aim to secure data themselves. To accomplish this, organizations must start by assessing the security of their data. They must understand and define what constitutes sensitive data, where those data reside, and how those data are being used.

Second, organizations should create policies for the storage, access, and use of those sensitive data. The organization is then able to employ the appropriate mechanisms to enforce those policies at the data level by leveraging technologies that enable “Data Element Rights Management,” which grants or denies access and use privileges (who can see it, when it can be seen, where it can be seen, if it can be copied, printed, forwarded, and when access should be revoked or expired) based on the policy assigned to the specific data. Thus, the sensitive data are protected at the point of access, whether that is inside the office on the corporate network or on a laptop at home.

Finally, organizations should be able to enforce and prove that they are in compliance with those policies at any time by leveraging automated technologies that provide an audit trail of authorized data access, or attempted unauthorized data access. This has the dual effect of enabling organizations to detect policy violations on a real-time basis for remediation purposes, as well as to prove that the security they have in place is effective.

Information security need not be the equivalent of boiling the ocean. Within the majority of Federal agencies, the IT infrastructure that supports the enterprise is often highly decentralized and stove-piped. The VA has more than twenty-five separate data centers, which historically have operated under various levels of decentralized management and control. With this degree of decentralization and disparate IT systems, our experience indicates that any comprehensive approach to data security methodology or technology will be exceedingly difficult to effectively implement.

Mr. Chairman, you have been at the forefront of this issue for the past several years, working to empower the CIO of the VA by providing him with centralized authority over IT personnel, IT management, and IT investment across the Department. As a result of your efforts, the Office of the CIO is finally empowered to develop, plan, and budget for a major data processing center consolidation initiative that would significantly consolidate the VA’s existing decentralized IT infrastructure. This initiative should not only be maintained, it should be accelerated. Significant steps can immediately be taken to reduce the data security threat within the VA; however, given the magnitude of the VA IT enterprise, only after an aggressive consolidation initiative would the Department realistically be in position to perform a high quality information assessment, develop comprehensive security strategy and policy, as well as implement the necessary technology, methodology, and automated enforcement controls to achieve comprehensive information security across the enterprise.

An information-centric approach must be supported not only by technology, but more importantly, by people and processes. Organizations should assess the security of their information by classifying data and understanding where those data reside, document and communicate their security policies clearly, enforce the policies appropriately, remediate violations to the policies swiftly, and prove compliance quickly and easily.

This problem is big and the Department of Veterans Affairs is not alone. Today, there exist thousands of technologies that address security. We believe that the plethora of vendors and point products on the market is confusing to security buyers and implementers. Some basic principles of IT best practices – consolidation, standardization, centralized management and control, and the classification of data and systems based on their sensitivity and mission criticality – make this endeavor significantly more feasible. In short, security must become information-centric.

Mr. Chairman, thank you for the opportunity to testify before your Committee. I look forward to your questions and those of the Committee.

1 Source – The Ponemon Institute, 2006
2 Source – The Gartner Group, 2006
3 Source – The Enterprise Strategy Group, 2006
4 Source – The IDC, 2006
5 Source – The Gartner Group, 2006