Thursday, 16 August 2007

Who's watching my data?

The following article was one I submitted for the InfoSec show programme in the UK this year. It was not printed, but appeared on several sites immediately afterwards, which was really the start of my interest in reporting on security. It was originally titled "Who's watching my data?", but has also appeared under other titles. This was my original title, so I'm keeping it real...

I can no longer find it online, only cached by Google, which isn't the same thing, so here it is reprinted for posterity, and to massage my own rapidly inflating ego:

Who's watching my data?
In a networked world, are we protecting the right thing?

To be successful, a business must make money. Increasingly this money is not just cash being transferred between organisations. This valuable information takes many forms, a business’s IP, a bank’s customer details, a retailer’s credit card information. In the real world, we can see that cash is cash; we trust it because we can see it and feel it. Other items that we buy with our cash, we only buy when we are satisfied by the quality, look, feel, taste, etc.

We can restrict access to the things we hold valuable to our organization; we can encrypt our data and ensure all access on the network is to the correct users. We can even pass data across the hostile internet in trusted encrypted tunnels, but there is never any guarantee that the data we receive is the same when it was sent. In short, we could be being “sold a lemon”.

For complete integrity we need something which follows the data. This “data-centric” approach is the only way in which we can truly trust a transaction of any kind performed on a network, by its users. Transactions can range from the simple: logging on, accessing a file, to the more complex: trading shares or buying a product from an online trader.

The only technical solution that currently exists is digital signatures. This requires some form of PKI, at the very least a trusted key for each data holder. This gets expensive, and as anyone who has tried to administer a PKI will tell you, it leads to other headaches. What do you do when someone leaves a company? You can revoke certificates, but the revocation is never instant, and fraud only ever happens when there is the opportunity for it to happen. If a digital signature is broken, you cannot trust any of the data it applies to. And you don’t know where the data has been changed.
The C-word

The very mention of the word “Compliance” has many network administrators putting their head in their hands. Regulations such as SOX, J-SOX, HIPAA and PCI DSS, although originating in the United States and Japan, are now being felt in Europe. PCI DSS applies to all retailers processing credit card details, but is easier to enforce in the United States with the backing of California Senate Bill 1386 which in simple terms says that if a breach of data occurs on a network, the breach must be made public knowledge.

As subsidiaries of American and Japanese companies have to comply with SOX and JSOX, plus other industry specific regulations, so do those that do business with them. The truth of the matter is that compliance is there for a reason: to ensure the security of the customers using our businesses.

In November 2007 a committee will sit in the European parliament in Brussels to discuss a new disclosure law, following the same lines as SB 1386. Suddenly these regulations will have a new set of teeth, the backing in law and the ability to apply large fines for allowing a breach to take place unnoticed.

How do I protect my investment?
A more granular approach to data integrity is needed, in line with the data encryption and access controls that accompany it. These solutions need to achieve the same level as user and network integrity solutions, or they are the weak link in our security. When the integrity of data is in question, we need to ensure that more information is not lost, complete transactions can be reconstructed and the source of breaches discovered before they become financial losses. As data-centric security becomes as important to businesses as user, perimeter and network security, this is an important part of security which will need to be addressed before we can say we are truly safe from information loss.

No comments: