Wednesday, 15 August 2007

Integrity interest

I've been seeing a bit more interest in integrity in the past few weeks, and was pointed in the direction of a Slashdot forum where a method for log protection was being discussed:
"Recently I was asked by one of the suits in my company to come up with a method to comply with the new PCI DSS policy that requires companies to have write once, read many logs. In short the requirement is for a secure method to make sure that once a log is written it can never be deleted or changed."
The question here is based around PCI DSS requirement 10.5.5, one of the more difficult technical requirements to fill, but there are other, more obvious reasons for protecting the integrity of your data. I recently spoke to a vendor of security software for surveillance cameras. They want to be able to use their software to prove beyond doubt that the digital pictures it is capturing are "real". They need something independent that will prove that for them. It's a tough nut to crack, because they don't control the camera input, so they can't just stick a certificate in the camera chip and sign every image as it is created, only the DVR (digital video recorder) box that collects the pictures.

Having spent the past 6 months researching data integrity, I can tell you a couple of things about it, but I was still astounded at the sheer number and diversity of responses that the PCI question received. You will see from the title that it also applies to HIPAA and SOX. This is quite right, there are few regulations that integrity does NOT apply to in fact.

The topic is still only 15 days old and has 380 comments, most of which were posted in the first couple of days. They have covered everything I have come up with as competition to commercial integrity software, and some others straight out of left-field:
"Connect a line printer to mirror the log file as it's created. Use continuous fanfold paper. Get staff to sign and date first and last page. Lawyers love paper. (A magistate once asked me if a printout I presented in a case was an "original email". I said it was as close as you could get.) In all likelihood, no one will ever refer to it, so don't worry about that it might take 10 minutes to find a page. Once a month, ship it to a secure storage. For real paranoia, have two printers making two simultaneous copies."
A word to the wise, DON'T use paper. Your admin will be able to see it printing off and, well, if I'd been log-tampering I'd just burn it, wouldn't you?

Other more sensible suggestions include:

DVD jukebox: This is slow, and not fully secure. A DVD will ensure the integrity of data as it was written to it, but unless you can confirm that the DVD was the original DVD which data was saved to, you cannot guarantee the integrity of the data sent by the application.

EMC's Centera: EMC have had issues with this not being all that it's cracked up to be, and at hundred of thousands of dollars per terabyte, you're going to want something pretty damn good.

syslog-ng: Fine as a delivery method, if done over a secure channel, but once it is in storage, you have the same issues.

Homegrown solutions: This is the point of the post. The guy wants to write his own solution to address the problem. One word. DON'T! If you write a solution to address regulations and it works, great. If you write a solution and it fails, it's not your ass on the line, but your boss's, and his, and his, right up to the CEO. Better to pass off that responsibility to a company who have written a commercially available solution.

Timestamping: On the surface this looks simple and useful, underneath the covers it isn't. For timestamping to work you need a secure time source. To get this, you will need an HSM, your costs have just risen by $20k before you even install the timestamping software.

So, obviously as the Product Management Director of a data integrity software company, Kinamik, I'm going to find holes in everything that isn't commercial data integrity software, but I'm where I am because I believe in it, not the other way around. It's worth doing, it will save you headaches, and give you peace of mind. If you encrypt and provide access controls and integrity to you data, you have very secure data.

Information sharing environments need integrity proven, to show that no-one has tampered with data on it's way to you via half a dozen points in the network. Cameras, as above, can use this. How about telephone logs? Medical databases, HR databases, finance, etc.? There are a hundred different applications.

I write about this all day everyday, and I just wanted to share this with you as I've found it very interesting so far. I will write some more about how useful integrity is another time (and have done previously). I noticed another post on the SBN last week which mentioned a similar issue. I offered a hand, but have not had any response as yet.

We are still looking for reference customers in the US, and I'd be happy to talk to anyone about it.

No comments: