EDS again

Today EDS stands for Even more Data Stolen, or maybe Encrypt Data, Stupid!

See http://news.bbc.co.uk/1/hi/uk/7662604.stm

An investigation is under way into the disappearance of a computer

hard drive containing the personal details of about 100,000 of the

Armed Forces.

The information was being held by EDS, which is the Ministry of Defence’s main IT contractor.

The MoD said the portable hard drive went missing on Wednesday during a priority audit carried out by EDS….It is understood the drive was not encrypted.

As Oscar Wilde might have said “To lose one unencrypted disk may be regarded as a misfortune; to lose two looks like carelessness” or something like that..

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Oh dear. I would love to ask the MoD why 100,000 records are on a portable device. Even when encrypted, portable devices are such a risk you would have thought they would at least limit the amount of records that could be put on them (i.e. not over 50% of the records for your active force). To be honest, this is a nightmare for the protection of critical infrastructure, and current/future British Armed Forces operations. 10,000 council records listing names, addresses and DOB's is one thing (anyone savvy enough could easily get that information using social networking and the electoral role), but the names, addresses, DOB's, bank, passport and driving license details of active personnel is something completely different. I can't imagine EDS getting away with this one, but even so, some heads in the MoD have got to roll too. Lets just hope an EDS engineer half inched it, wiped it, and chucked it on eBay. Still, might be worth everyone in the forces brushing up on their PERSEC. You never know who might have just got their hands on your records!
Once again, this announcement will act as another wake up call to the Government and all holders of personal data. The security technology and processes currently in place clearly does not protect against human error or malice, so the public sector needs to start following enterprise’s example for its security provisioning. This announcement highlights the importance of sub-contractors and outsourced partners implementing the same due diligence, audit and governance procedures that are in place within the four walls of corporate and government establishments. In essence, when a third party is beholdent to another’s precious assets, be it data, knowledge or both, then that asset should be scrutinised in terms of its integrity to an even higher than normal standard. To negate such security losses, laptops and PCs should have full hardware disk encryption, that allows data to be encrypted at the hardware level allowing always-on data encryption and full protection even if the hard rive itself is stolen. However, the need for security in the IT infrastructure is becoming more and more pervasive, encompassing the entire network and the appliances that are attached to it. Therefore, data encryption at appliance level (e.g. PCs) is important, but there is an increasing amount of appliances (e.g. mobile telephones, PDAs, BlackBerrys, virtualised solutions) accessing the network that must also be secured. Encryption, authentication and access control is especially key for these technologies, as is the encryption of the data as it travels across the network and the data protection within server, storage and SAN environments. Another viable security solution against leaks and breaches in the future, the Government should explore virtualised computing solutions that allow laptops to purely act as ‘dummy terminals’ where all the data is stored centrally. Therefore, if a laptop is lost or stolen, important data is not able to get into the wrong hands. Authentication and verification is continuing to become much more sophisticated and NEC is at the forefront of such developments using a range of multi-modal approaches, such as presence-based access control (e.g. NFC, RFID, and chip & pin) alongside biometric security (fingerprint, facial and eye recognition), which will become increasingly important in the years ahead. Ultimately, human error, disclosure or malice continues to be the biggest threats to data security, so if the Government is to avoid the negative headlines we have recently seen, they should be looking to deploy the personalised, multi-modal solutions that we would expect from Government levels of security. However, even with the best security in the world, processes and procedures need to be in place to manage human error.
Why is everyone wasting their time commenting on hearsay and slow news day press? There is no indication from the MOD or EDS that this hard disc contains any information at all. There are only one or two systems integrators large and capable enough to handle emmensely complex government implementations and change programmes, EDS is one of them. Maybe we should give EDS a break, let's report on the 99% of things they do right. Sorry, that's not interesting news is it? All system integrators lose equipment down to human nature, if we were to cancel all of their contracts there wouldn't be any demand for computerweekly. Why bite the hand that feeds you?
It's a great point Richard, and I suppose one could say the same about most of what's in the media in general. The point of this blog is to try to generate some discussion on the challenges of managing Information Security. Here we have an organisation that is having some very public issues and I think that's a worthy topic for this blog. Here's the irony though. Those few lines on Friday: approximately 3 lines of sarcasm from me and the rest cut and pasted from the BBC website generated 3 times as many hits as I'd expect to get on a normal day when I try to discuss more general topics relating to the challenges of InfoSec. Now, I'm not doing this for the page view counts (and I'm not a journalist working for Computer Weekly either - I have a day job as Director of Information Security - the blog is my idea of something fun to do in my sparetime) but frustratingly, there are more out there who would rather read about the ills of EDS. There but for the grace of god go the rest of us too!
Stuart, I agree with your sentiments. What needs to be focussed on is a zero tollerance of removable media. There are numerous ways of transfer including secure FTP etc which are perfectly acceptable. Having worked on a number of central government IT projects processes are in place, however, the communication and enforcement of them sometimes lacks. Large projects of this nature can have hundreds of staff employed in sometime disperate locations and coupled with human nature things sometimes slip. Not an excuse but unfortunately reality. On a wider note large SI's and the government should work much more closely. Instead we often have a master slave relationship rather than one of partnership in achieving a joint target and goals. Delivering a service by throwing it over the fence doesn't work, neither does, as with most government projects, giving a supplier immovable go-live dates without even discussing scope. We focus too much on getting something live by a certain date to avoid hitting the front pages. Which is more costly, front page headlines or a disasterous implementation due to unrealistic timescales, reduced testing and inability to handle and implement management of change?
I would like to further comment on Richards point regarding zero tollerance to removable media. I wholeheartedly agree that there is too much of this stuff out there and other more efficient data transfer mechanisms should be explored. In the MOD there seems to be a culture of: He's got one so I want one too! This can range from USB sticks to PDAs and Blackberries. However is there a requirement for every user in a business or organisation to possess any of these devices? I think the answer is probably no. But who is at fault? The user for having the audacity to ask for a 16Gb USB stick? Or the organisation for not controlling the amount of removable media it issues? As many other commentators have previously said the issue is not so much a technical one rather a need for cultural change. As part of this process of course security training and awareness programmes are a must. However, more importantly in my opinion is the requirement to make users responsible for the data they process. By taking ownership they may be more alert to the threats that exist and take measures to better protect important and sensitive infromation.