Disastrous Practices – Part 2

By Patrick McCulley |

Introduction

Last week’s article emphasized the close working relationship between the Chief Information Officer and the Chief Information Security Officer, and how their actions can positively impact an organization’s IT infrastructure. Also targeted at the startup, this week’s article explores the importance of data accountability, integrity and privacy throughout the realm of Information Technology and Security. These three concepts are inseparably linked, each complimenting and bolstering the others.

Accountability

“It is wrong and immoral to seek to escape the consequences of one’s acts.” – Mahatma Gandhi

Areas of responsibility do not stop at the physical equipment boundary: ultimately, the Chief Information Officer and Chief Information Security Officer are responsible for not only the health and well-being of the Information Technology infrastructure, but the data which resides upon it.

The concepts of Least Privilege and Default Deny are highly effective when properly practiced, ensuring granular access controls and detailed record-keeping. When implemented early in the life of an organization, these two concepts become easy to administer and automate. Failing to implement these policies early on may result in serious security lapses in the future. Imagine the embarrassment for your corporation when an end-user is allowed to burn data to a CD, and absconds with sensitive company documents. This is precisely what happened in the case of Private Manning, who was able to burn such a CD as a result of lapses in security policies by the U.S. Army. Had such policies been implemented according to best practices (also laid out by the Department of Defense), Private Manning would have found it difficult, if not impossible, to accomplish that task.

Accountability as it applies to data in the modern business is a complex concept. Accountability doesn’t just mean securing parts of your network or sensitive files against unauthorized persons. Accountability isn’t just about who has access to what: Accountability is also about who accessed what when! If access to your sensitive data is granularly controlled yet not properly recorded for posterity, it will be extremely difficult to conduct a forensic investigation when a security incident occurs. NSA leaker Edward Snowden’s hoard of top secret documents illustrates just that: some officials even acknowledged that they do not know the complete scope of the pilfered data.

Least Privilege, Default Deny and responsible record-keeping of access to sensitive or compartmentalized data will ensure that your 21st Century business is prepared for when such an event happens. The question to ask is not “if” such an event will happen to your organization: the question should be “When this happens, will we be prepared?”

Integrity

“Whoever is careless with the truth in small matters cannot be trusted with important matters” – Albert Einstein

 

The integrity of an organization’s data is extremely important to uninterrupted operation, especially so in the digital age. Data integrity can be threatened by any number of factors, such as faulty equipment or natural disasters, yet for each of these situations, mitigation measures exist.

On the surface, ensuring the integrity of your organization’s data (including that of your customers) may sound simple: as long as your servers don’t crash and you keep backups, everything should be fine, right?

Wrong.

Ensuring the integrity of your organization’s data includes tamper prevention mechanisms such as granular authentication and access controls, combined with robust encryption and hashing mechanisms. Merely ensuring systems uptime is not enough: efficient and timely backup and archival mechanisms will mean the difference between restoring company and customer data in a matter of hours versus losing it entirely. Catastrophic hardware failure will occur at every organization: whether such a failure destroys your organization or is merely a hiccup is something the CIO and CISO are responsible for determining.

Encryption plays an important role in data integrity as well as data confidentiality (more on this in the next section), ensuring that when a company laptop is stolen from an airport lounge, the hard drive does not spill its trade secrets or sensitive customer data to the world. Encryption mechanisms on your archival-quality backups ensures that even your off-site data are tamper-resistant, making it that much more difficult for evildoers to obtain or modify sensitive files.

Data Integrity is about more than just the integrity of the data itself: the philosophy and posture which an organization takes speaks to the integrity of the organization in question. An irresponsible organization will not enforce granular access controls, separating departmental roles and responsibilities. An irresponsible organization will not keep detailed records of access (authorized or otherwise) to its sensitive or compartmentalized data.

Confidentiality

“When it comes to privacy and accountability, people always demand the former for themselves and the latter for everyone else.” – David Brin

 

Confidentiality is no stranger to business: board meetings are kept confidential, as are trade secrets and financial records. KFC mascot Colonel Sanders’ secret blend of herbs and spices wasn’t a gimmick: it was data which was valuable to his business and therefore a closely guarded secret.

The potential for sensitive data to seep out through cracks in security policies is immense. A stolen company laptop which contains sensitive personally identifying information of customers (names, addresses, credit card numbers) has the potential to cost a corporation millions – but the same laptop properly secured with a robust encryption solution may be little more than a paperweight in the wrong hands.

Employee access to internet-based storage services offers an additional security concern: why should an employee go to the trouble of pilfering data with a USB drive when they can just upload your sensitive data to Dropbox? Without the ability to block certain websites, your organization can do little to prevent the theft or abuse of data. Application-aware security appliances help your organization prevent such actions, helping to ensure confidentiality – and by proxy, integrity.

In the age of information, both customer data and corporate data must be treated as equally valuable: failure to do so will result in serious and possibly irreparable harm to an organization. Eventually, every organization’s security will be breached in some fashion. How much data the thieves get away with may be determined by how much effort your organization puts into the accountability, integrity and confidentiality of its data. An irresponsible organization lacking integrity will be unconcerned with whether or not it encrypts company laptops and external storage devices. An irresponsible organization will be unconcerned with the expiry of its encryption keys. An irresponsible organization addresses security concerns such as laptop encryption after a security incident and not before.

Security in the digital age should not be an afterthought: it should be one of the primary concerns for your organization’s successful operation. The three above concepts work in concert to ensure the smooth operation of your organization in the digital age, ensuring confidence in the integrity and accountability of data, whether it be that of customers or board of directors.