Bank loses tapes with data on 4.5M clients
Connecticut AG blasts BNY Mellon for failing to notify victims for three months
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9091318&source=NLT_PM&nlid=8
May 30, 2008 (Computerworld) Bank of New York Mellon Corp. officials last week confirmed that a box of unencrypted data storage tapes holding personal information of more than 4.5 million individuals was lost more than three months ago by a third-party vendor during transport to an off-site facility.
Can you believe it? This has to stop! How can we have faith in any organization that cannot protect our personal information?? The scary part is that these disclosures always come in groups. What's next? Of course it's easy to criticize someone else's mistakes, but how do we put a stop to this? If you don't know by now, Microsoft has a backup solution that allows you to encrypt tapes, and we have a solution to encrypt the hard drives on mobile machines and servers. We've been able to provide encryption solutions for a very long time. The technology has been available for a while. There are plenty of other companies that can also encrypt your hard drives and your data. It's not about encryption, it's about process. People, Process, and Technology... Remember all three. The technology exists, but we need to educate the people and we need to define clear process!
You don't know how many times I've heard "We need encryption". What does that mean? There's more to it than just encryption, we need to understand what needs to be encrypted and why? What data is important and what data is not? I'm not trying to throw sand in the gears of progress, but we need People to think about what needs to be protected. Once we define what needs to be protected, then we need to define Process to ensure that we can consistently encrypt that information without adding additional burden to the business. If encryption is deployed the right way, only the users that have no business accessing your data will encounter encryption problems. Encryption can truly be seamless to your users. Yes I said it! Encryption can and should be something that your users do not "have problems" with. EFS and BitLocker can be deployed with no user knowledge at all! RMS can also be seamless in conjunction with Sharepoint, but it is also ok for the users to know they are encrypting data. It's hard to automate everything that should be encrypted. We still need users with common sense to make decisions on what is and what is not worthy of encryption.
Remember we have always had the ability to secure our data so securely that our business can never disclose it, but they also have to be able to use the data or it will be worthless. There must be a reasonable balance between securing the data and being able to use it. That's the trick. As you start investigating the plan to encrypt your data, please keep this in mind. What is your tolerance for risk, vs. agility? There is a very secure happy medium, and it's not hard to find if you'll spend some time understanding your data and how it needs to be used and protected.
I'll talk more about the solutions we offer, from encryption of your data while in transit (RMS) to the encryption of your data stored on a file server (EFS), to full drive encryption with BitLocker. BitLocker is part of Windows Vista and Server 2008. BitLocker allows you to encrypt the hard drives on your computers or servers. If your hard drives are lost or stolen, the data cannot be recovered or compromised.
My point isn't to say that you must deploy RMS, EFS or BitLocker tomorrow, but if you have not had the data encryption discussions yet, please start those tomorrow! Do it in phases... If you have sensitive data on your servers that only a few people should have access to, EFS might be a quick and easy first step. We even have a Solution Accelerator for mobile PCs that discusses encryption with EFS and Bitlocker. Please check out our Data Encryption Toolkit for Mobile PCs it will get you started. Just as an FYI. I run Windows Vista on both of my tablets and both use BitLocker to encrypt their hard drives. BitLocker is totally transparent to me as an end user, very easy for me to implement (as a user or admin), and gives me 100% recovery if I have a computer failure. Of course, if my hard drive fails, my data is just as lost on a drive encrypted with BitLocker as it is on a drive without BitLocker.
For those hard drives that "partially" fail, we offer tools that will let you recover data off of drives encrypted with BitLocker. The process is very straight forward and very secure, please don't that that hold you back. If you have questions, ping me, I'm happy to help with the BitLocker and your encryption discussions.
Until next time!
Rob