State and Local Governments Tackle Security Projects

By Ellen Messmer , Network World , 12/15/2008

State and local governments around the country are worrying as much as any business enterprise about protecting the sensitive data they hold, based on a look at security projects in places such as Arizona, Indiana and Florida.
Arizona's government last year decided to create state-level positions for both CISO and chief privacy officer (CPO), after the Federal Trade Commission ranked Arizona first among all states in identity theft, though the exact reason wasn't cited by the FTC. After the state passed legislation for more oversight, David VanderNaalt, named CISO, began working with Mary Beth Joublanc, the state's CPO, in the newly created Statewide Information Security & Privacy Office at the Statewide Information Technology Agency.

"This is an oversight agency," says VanderNaalt, formerly CISO for the City of New York for eight years and a witness to the Sept. 11 attacks.

VanderNaalt and Joublanc report directly to Arizona's governor, among others, about whether dozens of state agencies are complying with state legislation requiring agencies to report security incidents.

"In my role I see we have 100 different business models," VanderNaalt says about Arizona's dozens of agencies and their departmental activities. While many agencies collect data about security incidents, there needs to be a centralized way to automate collection from technical sources in addition to manual reports, he says.

Just last month, for example, to comply with state law, Arizona's Department of Economic Security had to notify the families of about 40,000 children that their personal data may have been compromised following the theft of hard drives from a facility where they were stored.

VanderNaalt says one approach he's testing to report and track incidents statewide is a tool from Agiliance called RiskVision at the agencies, though he adds when it comes to identity theft, the private sector is likely to be at least as big a source of the problem.

But the purpose of the statewide office on security and privacy is to tackle wider concerns, too, including major online attacks, in order to respond with as complete a picture as Arizona's government can muster.

To do that, VanderNaalt knows he needs the trust from Arizona's employees.

"We're trying to position ourselves that reporting is a good thing, and you will get help," VanderNaalt says. The state oversight agency will also be conducting assessments of agency practices and technologies with an eye toward identifying statewide approaches to safeguarding security and privacy of data.

Securing Indiana

Indiana has already adopted a centralized approach in IT and security and it appears to be working well, according to Paul Baltzell, director of distributed services. His department is responsible for desktops used across the agencies.

Four years ago, Gov. Mitch Daniels, annoyed that even the state's e-mail systems weren't fully connected (although its state WAN was), made the decision that there should be a state-level CIO office defining infrastructure requirements, including security policies.

Indiana's IT centralization effort has had some pushback Baltzell acknowledges, noting that it resulted in about a 40% staff reduction in some IT function areas.

But by centralizing, the state government now benefits from volume discounts in IT acquisitions, including in security procurements, Baltzell says.

As part of a recent state-level acquisition of McAfee antivirus, intrusion-prevention and other security gear, Indiana also licensed McAfee's Endpoint Encryption software (based on McAfee's acquisition of SafeBoot) which it's deploying on about 10,000 laptops and other mobile devices.
"One bad security breach and you've lost all credibility," Baltzell says, adding that trying to achieve this wide a rollout of desktop encryption would have been much more difficult without a centralized statewide mandate.

Baltzell also says he's enjoying success with Intel's vPro, now used inside 6,000 of Indiana's state-agency desktops, for remote management of them "even if it's blue-screened," Baltzell says.

"We have offices all over the state, and my techs have to get in the car if they can't fix something remotely," Baltzell says. Intel's vPro has greatly simplified remote management for Indiana employees and Baltzell hopes security vendors will work with Intel to explore some of the potential it offers in malware defense.

Security at the local level

Local city governments also take on ambitious security projects and find it can be a substantial effort to put in place centrally mandated IT governance policies just for city agencies.

"A key one we had is software installation and computer-use policy spelling out the rules of engagement," says Nelson Martinez, systems support manager for the City of Miami Beach municipal government in Florida, which has about 2,000 employees using computers.

Establishing a citywide computer-use policy entailed meeting individually not only with city agencies themselves but also with five unions and their lawyers, including the police and fire unions, to discuss the policy and how violations would be handled."It all went faster than I thought it would," says Martinez says, noting each group voiced issues about how reprimands or punishments might be applied. In the end, it was made clear that while the IT department might be providing information about blatant violations of IT policy — for instance, "no chat, no instant messaging, no adding in unofficial software except with permission" — it's up to high-level city management to handle the repercussions, he says.

For endpoint enforcement on almost 2,000 employee computers, the city is using eEye Digital's Blink, which prevents malware from executing as well as blocks unauthorized applications. "I'm trying to keep them out of trouble," Martinez says. "People are always trying to test the boundaries."
Martinez says one of the most ambitious projects the city is undertaking now is single-sign on authentication using fingerprint biometrics for authentication in order to attain a higher security level than simple passwords.

The project makes use of Imprivata's single sign-on appliance, Microsoft Active Directory and UPEK scanners, and is starting with 150 city personnel, including the city's directors and those in law enforcement and emergency response.

Biometrics is important "because it all comes back to security," Martinez says. "You can use complex passwords, but you will have people writing sticky notes."