Earlier this month, the Treasury Department's Inspector General reported how the IRS had made slow progress in securing its computers. There were many factors at play, among them poor management. But it seems to me that a bigger factor was the sheer size of what the IRS was trying to protect. AlertBoot's own managed encryption service could have helped, although I'm not sure if would have made a dent in the overall progress
The problem facing the IRS is gargantuan, to say the least. They are trying to secure 98,000 computers, both desktop as well as laptops, in 670 facilities nationwide. Just trying to secure 98,000 computers is a gigantic endeavor in itself, never mind having these computers dispersed all over the place.
Now, if the IRS was just trying to install hard disk encryption on their computers (one of the requirements the IRS faced), it would have been a piece of cake with encryption as a service.
Centrally-managed encryption by AlertBoot, for example, uses the Internet to distribute the encryption installers. All the enduser/government employee has to do is download it and go through the registration process to receive a username and password, a 5-minute process (not dissimilar to signing up for Gmail).
Since the enduser is ultimately in charge of the installation, the (comparatively) diminutive IT staff isn't extended in its duties, nor is there a situation where IT staff have to travel 600-plus locations (or have computers sent to the IT department from 600-plus locations, a whole different ballgame).
Also, since IT staff are not actually implementing encryption software themselves, a powerful set of security audit reports allow administrators to keep track of which computers are protected--and more importantly, which ones are not. This latter is used to follow up with non-compliant employees.
However, the IRS had other stuff to do as well.
For example, the IRS ultimately decided to implement 254 security settings. Per computer. I figure that by "settings," they're referring to actual settings like screen savers that lock out a user and firewall settings, but other adjustments like the use of encryption, disabling USB ports, and myriads of other modifications for better data security.
Plus, they also had to test each and every piece of software that was ever created for them--we're talking specialized software only used by the IRS.
I'm not sure how long the project was supposed to take, but I imagine that with the above conditions, whatever deadline they set up would probably not have been enough.
Related Articles and Sites:http://fcw.com/articles/2009/04/06/web-irs-security-settings.aspxhttp://www.treas.gov/tigta/auditreports/2009reports/200920055fr.htmlhttp://www.webcpa.com/news/31244-1.htmlhttp://www.nextgov.com/nextgov/ng_20090406_2265.php