OK, let's get out of the transaction for a moment and concentrate on the data itself.
I'm assuming the data is available because the network is in place and the users are all able to authenticate. So what do I need to do to make sure my data is secure.
Encrypt it, right?
Well, yes, good start. If I encrypt my data though, what am I really doing? Encrypted data is safe from people without logical access to it, that is correct. What if I have logical access and no decryption key though? The sad fact is that even the strongest encryption methods can be broken given enough time. This might take 10 years compared to 1 minute, but if you've got 10 years and the information is valuable enough to you, you'd do it wouldn't you?
With RSA SecurID, the number you type in changes every minute or so, so if it is ever found out by someone else, it changes before they get the chance to use it. Anyone trying to reverse engineer the algorithm used only has 1 minute to find the answer which would take even the most powerful computer 8 years to hack. It's perfect security.
With data security we aren't so fortunate, we can't change the encryption algorithm every minute or we wouldn't be able to decrypt the information, so we have to rely on the strong authentication and put access controls in place.
The access controls prevent all but the privileged users from getting to the data. Now a logical attacker has no chance of accessing the encrypted data. We still have to be careful of the physical attacker however. Anyone coming in to our storage area, whether it be on a SAN, NAS device or Direct Attached Storage (DAS), can just unplug the disk and walk off with it. He then has 10 years to decrypt as before.
Of course we take care of that with proper physical controls, and for data security we have to assume that these are already in place. (Already the table I drew earlier is looking in need of an update.)
But the logical conslusion for this level of security is for the good guys to be driven bad. We already know that administrators are capable of pretty large breaches, the BoA case proves that. Privileged users can be subject to interviews, asked to sign policy documents, be strongly authenticated, have all their data subject to access controls and encryption, and yet still walk off with it, and no-one may ever find out. In this case, what use are disclosure laws and PCI regulations?
Part of PCI DSS (requirement 10) states that audit trails must be reliable and tamper proof. So what happens when this administrator logs in to view data he is permitted to see, copies it, goes back to the audit trail, which he is also permitted to view, deletes it and goes home? He sells the data and gets away with it, so continues to repeat the process. This is something like what was happening at TJX.
The data needs something else. The audit trails of the data need to be secured in the same way as the data, and they need the integrity to be proved.
We have already established that digital signatures cannot do this. A digital signature can tell me that something has been changed, but not by whom, or when, or what. Some form of monitoring is good, but monitoring systems can be switched off, or in the case of the administrator gone bad, not alert at all.
Integrity of data is a tricky one. It is hard to get straight in your head for a start. Take the case of a CCTV video for example: There is a tape with a video of me committing a crime on it, I take the tape and wipe the information from it. If this is digitally signed, I have lost the integrity of the whole video, but when the police come to prove I did the crime, they can't because the video they had is not only missing my criminal activity, but the certificate proves that it isn't the original file. All we know is that someone has broken into the system. Yes, it was probably me, but you can't prove that.
We need to be able to keep a constant watch on the integrity of the data, as the data is produced, and feed that into an integrity file which is kept with the data. If the data is tampered with, this needs to be matched up with access logs for proof. This is on top of normal access controls and encryption of course, to keep the whole thing safe.
And to top it off, we also need to do the same with those log files. If the logs of the video activity are tampered with, we can't match up the changes with the culprits. Likewise if we are securing logfiles we need to switch on verbose logging of access to the filesystem to catch any access to the logfiles, er, in a log.
Try explaining that on the whiteboard to the CFO. You wouldn't get 5 minutes in before being asked to leave. But this is still the message that we need to get across. Integrity is more important than ever. Networks and users are already secure, you need to be concentrating on your data. Encrypt it, secure it, make sure no-one can do anything to it without you knowing. That way, when Brussels comes along in November and steps heavily into IT, you won't be running to catch up.
IT spending is a delicate subject which a lot of corporations don't like to talk about. But I do, and I've seen it all from a privileged position. I can scrub my data before letting it out in the open though, and so not be held in contempt of any laws. Next time I will talk about why IT spending in Europe is focusing in the wrong places, still.