NASA To Encrypt All of Its Laptops

pev writes "After losing another laptop containing personal information, NASA wants to have all of its laptops encrypted within a month's time with an intermediate ban on laptops containing sensitive information leaving its facilities. Between April 2009 and April 2011 it lost or had stolen 48 'mobile computing devices.' I wonder how long it will be before other large organizations start following suit as a sensible precaution?"

i don't understand...

[wbr1]

Why is this not done already? Between truecrypt and (ack) bitlocker,it s relatively easy. Add in a robust backup system, which any organization should have already, and it is cheap and fairly easy to implement.

truecrypt

[X0563511]

For the lazy it does the job well. No need spend budget on it.

AAARRRRGHHH

[MrLint]

NONONNONONONO

This is not how you deal with an incident like this. You have to reexamine your infrastructure and find out *why* that info was on an endpoint to begin with. This is teh same BS kneejerk reaction that makes for bad IT planning. Just go and wallpaper of it with a band-aid and look all betterer.

HULK SMASH!!!!

Re:i don't understand...

[TechyImmigrant]

>Yep, you've got to have a documented practice to keep track of the recovery keys encryption programs generate.

No. I work in a big corp. If I die, my FDE password dies with me and the data is gone. Real data is held on servers and managed. A PC is just an access device.

Re:They waited this long because?

[Culture20]

Resources == salaries. Do you pay two IT guys or an engineer/scientist?

Re:They waited this long because?

[NumenMaster]

Funny enough right? How is it not STANDARD practice? I work for a really small state agency and that's the FIRST thing we do after imaging our laptops. It's been our policy for years. I'm so awestruck at the news.

Re:They waited this long because?

[geekoid]

They have a finite pool of money. Putting something in IT takes money from the finite pool.
The poster is correct, ti's about priorities.
Since that vast majority of information NASA has is useless to anyone not in a space agency, it seems this was a good priority of limited funds.

Re:They waited this long because?

[Anonymous Coward]

Because encrypting data is like putting it in a black hole, from which it might never return. If you lose your password, THAT'S IT! GONE!

For a technically competant user base, like (i'd like to assume) NASA employees probably are, go for it!

But for people who struggle with Microsoft Word and basic e-mail? Well... uh... let's just say an organization might want to perform an analysis of how many times their employees call in for password resets. There will likely be a strong correlation between data loss and password resets.

Sure, the data might not fall into the wrong hands anymore, but with statistics for every lost laptop, add ON TOP OF THAT data that's effectively destroyed by users getting locked out of their own encryption. That could ALSO be very costly in terms of lost man-hours, and possibly an unnecessary risk depending on how much sesnsitive data you REALLY deal with.

Re:They waited this long because?

[luis_a_espinal]

This is not a new policy. The implementation of full disk encryption has been underway for some time. We are doing laptops first, then desktops. The current fire drill is because a laptop with PII was stolen at NASA HQ and it was one that had not yet had full disk encryption installed.

NASA IT staff are as overworked and under appreciated as anywhere. If NASA had wanted full disk encryption done sooner, they could have added the resources to make it happen. And that would have taken resources from missions, like Curiosity and the James Webb telescope. It's all about priorities.

But therein lies the problem. It should not be underway for some time. It should have been in place as an iron-fist de-factor rule a long time ago.

I sympathize with you and the other IT folks. Underfunded and under appreciated IT and dev folks alike. It is shitty, and I know what it's like (been there, don't that.) But, to not have laptops encrypted? To furnish unencrypted laptops? There is some serious break-ups there man. Why? Because, however overworked your team might be, I have a hard time believing that IT will furnish an un-imaged laptop, as-is from the vendor/supplier, to the user. I'm sure IT images the laptops, so it stands to reason that the imaging will include encryption.

If the laptops are being furnished as-is from the vendors, that's a fuck-up.

If the laptops do get imaged, but do not get encryption, that's also a fuck-up.

Any government agency has some type of security and information assurance program and guidelines. And in them, encryption of laptops must be there somewhere. If that is the case, then it is a IT fuck-up. If it is not, then it is a IA fuck-up.

I'm not necessarily blaming you or any specific IT person, but this is a serious crap-o-lah that goes against what is pretty much standard practice with any agency or defense contractor (I work for one), or even for commercial companies. It's simply crazy.

Comment removed

[account_deleted]

Comment removed based on user account deletion