Take a Bite Out of Data Theft
High-profile exposure of personal records raises demand for better data security.
A big problem is getting bigger. According to the Privacy Rights Clearinghouse (PRC), more than 1 million personal records containing names, Social Security numbers, birth dates, salaries, phone numbers, e-mail addresses and other identifying details were exposed in January 2008 alone. Since January 2005, the PRC has been publishing a chronology of reported data breaches so staggering it must be seen to be believed.
According to the PRC, as of August 2007 the number of exposed personal records exceeded 150 million.
As of this writing, that figure is pushing past 220 million, which means the rate of exposure is accelerating dramatically. Even if these exposed records are recovered, or not yet misused, each case represents the potential for serious misuse such as identity theft.
According to reports published by the Federal Trade Commission, identify theft is a massive, expensive problem that victimizes hundreds of thousands of people each year.
That is why these breaches are recorded and publicized and why a slew of legislation has passed to address the issue.
The potential damage stemming from data privacy breaches is only one of many reasons to focus on information and data security. Similar issues surround corporate intellectual property, trade secrets and national security. For these, the same vulnerabilities and protections apply.
Microsoft is releasing seven critical updates to Windows Vista, Internet Explorer and Office to address security concerns such as the “animated cursor” vulnerability exposed in 2007 that allows attackers to ultimately corrupt memory and take control of a computer. On a broader scale, according to the Annual Threat Assessment from the Director of National Intelligence for the Senate Select Committee on Intelligence, “foreign governments and other groups are attacking U.S. networks.”
So with brand reputations, government regulations, costly remediation and national security considerations at hand, the need to lock down private information has become critical. As the problem grows, so does the number of tools and services designed to address specific areas of information security. Companies and government agencies responsible for safeguarding sensitive information are starting to address the problem and look for solutions. However, they often approach information security and privacy in disjointed, costly or inefficient ways. Organizations concerned about at-risk data would be better served through a coherent, enterprise-wide data governance initiative complete with a review of existing and nascent technologies and services.
Data governance refers generally to the management of people, processes and procedures required to create a consistent enterprise view of an organization’s data in order to, among other things, improve data security and decrease the risk of regulatory fines and litigation. More specifically, according to The Data Governance Institute, data governance is “a system of decision rights and accountabilities for information-related processes, executed according to agreed-upon models which describe who can take what actions with what information, and when, under what circumstances, using what methods.” There are many details behind goal setting, planning, implementation and maintenance of the objective.
A related source of information is the IT Governance Institute (ITGI). Together with the Information Systems Audit and Control Association (ISACA), ITGI defines industry-standard objectives for information security and other best practices around IT governance. Its official document is called the Control Objectives for Information and related Technology (COBIT) and is referenced by thousands of information governance, control, security and audit professionals.
To better understand data security and its technology solutions market, it is first important to distinguish between physical and logical data security. Greg Schulz, founder and senior analyst of independent storage analyst firm The StorageIO Group, defines physical security as things such as door locks, video cameras, duty guards, background checks, biometric and encrypted USB access devices and audited data shredding. He defines logical security as things such as rights-managed software for user names and passwords; disk, file and database encryption libraries; secured network and server tools; partitioned storage; and audit trails. There are many vendors marketing these and other techniques, and they offer varying degrees of technology integration.
To stop identity and intelligence thieves from hacking into networks and computers, there are a host of solutions, including firewalls, intrusion prevention systems, probes and sniffers, honey pots (decoys) and access and auditing software. In fact, there are hundreds of tools on the market related to this aspect of information security alone. Some of the larger players include NetApp and Symantec.
Another widely discussed security topic is encryption. From algorithms and key management to build-versus-buy decisions, the science and business of encryption is a necessary consideration in securing data. The basic idea is to use an encryption method or device to encode sensitive information that can be revealed only with the right decryption key. For many implementations, the choice of which library to use may depend on the speed of encoding and decoding, the level of security needed, compliance with government regulations and compatibility with other applications.
Of course, another consideration is identifying what exactly should be encrypted. Should the network, server, disk drive, database, file or just sensitive fields be encrypted? Each choice has runtime, access entitlement and maintenance implications for sensitive data as well as nonsensitive data that may be unnecessarily encrypted at the same time. This is something to think about as disk-drive and motherboard encryption for laptops and other computers become more available.
Due to mergers and acquisitions, a notable commercial characteristic of many logical security technologies is their continuing consolidation into the hands of fewer larger vendors than before. This may or may not be a good thing for corporate consumers depending on the technology or business particulars of the situation. That is, which vulnerabilities did the data governance effort reveal, and what is the future of available tools and techniques that address them? A build-versus-buy decision process should include a survey of vendor and product stability within the solutions marketplace.
One of the most notable examples of security technology consolidation was the 2005 acquisition of storage software company Veritas by Symantec, a network management and security software manufacturer. The problem this combination faced from the outset was acceptance among large company purchasers who could not reconcile their original technological and sales channel differences.
Nonetheless, Symantec’s vision is compelling. The company believes and has stated that security will become a feature of infrastructure products rather than a core offering. It should be more efficient to bundle security, whether the perspective is purchasing, implementation, runtime or maintenance. It also is less expensive than buying best-of-breed, pure-play solutions at every turn, something to consider in a down economy.
Following this logic, in 2007, Innovative Routines International (IRI) released the ninth version of its flagship CoSort package with targeted, auditable security functions built in to its data manipulation language. Traditionally, a high-volume data processing and legacy migration tool, CoSort now includes field-level privacy functions including encryption, de-identification, pseudonymization, masking and redaction. By combining role-based access controls with transformation, conversion and reporting, CoSort allows data warehousing, business intelligence and compliance activities to coexist within the same runtime and cultural paradigms.
Products such as Symantec’s NetBackup and IRI’s CoSort are just two examples of what Protiviti, a risk management consultancy with an IT focus, has described as a move from device-centric security to data-centric security.
Safe Test Data
Another important facet of data-centric protection is test data. When IT projects require data for populating test databases, outsourcing file or report formats, benchmarking new hardware or software or developing new applications, they need test data that reflects the appearance, content, volume and value ranges of their production data.
Traditionally, snippets of real production data were used for testing. But production data is inherently unsafe since it may contain personally identifying details and other confidential information. And even if it’s not sensitive, data snippets may not be voluminous enough or contain value ranges sufficient to stress test application and operational prototypes.
Creating custom test data by hand can take a very long time. For these reasons, a number of techniques and solutions should be evaluated for generating realistic test data.
Suppose, for example, that you are prototyping a large infrastructure replication project where production and disaster recovery sites are located 120 kilometers apart. If your customer is a major bank, using real production data to feed the backup replica is prohibited because third-party testers and developers are involved. FlexITy Solutions in Ontario, Canada, was a contractor in such a case, and needed to populate multiple, large databases with safe, realistic test data.
FlexITy chose IRI’s RowGen test data tool because, as IRI indicates, it could automatically parse the data model of every source database and automatically generate test data, complete with referential integrity. According to FlexITy quality assurance consultant Ilia Frankstein, RowGen formed 33 million rows of relational table data in fewer than three hours on a PC. “Without such a tool,” he said, “generating all that test data could take months because it would involve understanding the foreign key dependences in the database, plus the coding and debugging of many custom data generation scripts.”
Certain databases and applications also contain built-in test data generation, randomization and masking functions, and there are a number of low-end or shareware data generators that may also suffice for specific requirements. RowGen however, “can produce and transform huge volumes of referentially correct test data and flat file structures and make use of disparate data models and the metadata from existing applications,” Frankstein said.
Niche Service Providers
Most enterprises today do not have the resources to perform in-depth evaluations of how solutions for enhancing data protection will function when integrated with their existing production environment. To address this, FlexITy built the FlexITy Integration and Testing (FIT) Lab with enterprise hardware and software products from many leading manufacturers. According to Nolan Evans, FlexITy’s consulting solution architect, FIT “enables the prototyping of complex, heterogeneous infrastructure solutions in a way that is completely nonintrusive to ongoing production activities.” More to the point, however, is that FlexITy’s proofs of concept can reflect the actual behavior of a new service or solution in the context of a customer’s real data environment “without having to deal with the challenges of gaining access to potentially sensitive sample data,” he said.
FlexITy is just one example of an IT company specializing in protecting data as it prototypes environments and develops applications. Another example is Micro Focus’ Application Portfolio Management (APM) suite that can survey an entire battery of legacy programs and their data elements to find operational inefficiencies and at-risk data. Other vendors provide tools and services around data governance and sensitive data discovery.
For example, Exeros and GlobalIDs have solutions to monitor enterprise databases to identify at-risk data so appropriate security measures can be taken.
Kevin Trosian, technology equity researcher at Wedbush Morgan Securities, said it best in a column for SearchSecurity.com about the journey of discovering data security problems and solutions: “The road will be bumpy for vendors and security buyers alike. We’re experiencing a wholesale shift in the technology landscape, which will eventually benefit enterprises with better integrated, less expensive secure infrastructure products.”
David Friedland is executive vice president of CoSort. He can be reached at editor (at) certmag (dot) com.
To learn more about IT security