Standford University is the latest large organisation to be involved in unintentional leaking of personal data. A laptop was stolen that contained the personal details of 62,000 former and current employees. The data included:-
- Name, gender, date of birth
- Social Security number
- Salary, business title, office location, office phone number, and e-mail address while employed by Stanford
- Home address and phone number while employed by Stanford
- Stanford ID card number and Stanford employee number
Oh dear!!! With all of that data identity theft is very, very easy.
Stanford seems to be reacting in a very professional and open manner, which is good. The reason for my post is about data encryption. Over the years while working for corporations I have been involved in many discussions around handling of sensitive data and the issue of using encryption boils down to a couple of major topics.
Firstly encryption tools can difficult for the average computer user to use. Second once encrypted movement of the data is made difficult (I know that’s that point) which makes ongoing use of the data by people who need access problematic.
The first reason is solvable via training but still if you don’t use the encryption tools regularly issues still pop up, and they will late on a Sunday night before an important presentation the next day. That’s Murphy for you.
The second issue is more difficult. Person A needs to send data to Person B so it is encrypted using regular public key technology, nice and simple if only Person B needs to use the data. But what happens when more people need to access the data? Well Person A needs to re-encrypt with all of the require public keys. It is this step where things get nasty. If Person A is in another organisation on the other side of the world, in outsourcing not uncommon, it could take time. So Person B decrypts the file and shares it unencrypted, so that business can be done. Yes they could re-encrypt it but in most organisations this does not happen. Not to mention what happens when either person leaves their respective organisations.
As we move into a world of mashups, open APIs and other Enterprise 2.0 goodness security is going to be even more important and complex!
Michael Specht 
Michael, this raises an interesting point that security DOES indeed need to extend outside of corporate boundaries and retain some sense of ease-of-use.
Within the Enterprise 2.0 world we refer to an initiative called ‘Content Centric Security’ which quite simply is a leverage of Information Rights Management technology. This applies a policy (or as it’s been known – electronic Glad-Wrap/Cling-Film) around information and with the support of identity management solutions, can apply rights against information whether it exists inside or outside of the firewall.
Where a laptop is stolen/lost/left-at-the-airport or whatever excuse the next organisation uses to explain the accidental loss of information – the owner can simply and easily revoke rights against the lost information and it will remain encrypted and inaccessible. This technology can be applied to information within the entire mobile-access space including Blackberries, Laptops, Smart-Phones etc. etc. etc.
A massive challenge in any organisation today is how to control the flow of information. Not to long ago it was acceptable to simply remove a 3.5inch floppy drive from the desktop PC in an organisation. This provided reasonable protection from removing confidential information or intellectual property from a company. Then came the explosion of new technologies, we now have USB sticks, mobile phones that can act as mass storage, even digital cameras. And that covers just the physical solutions, what about on line storage such as goggle and many others. Then if that is not enough you have social networking and its implications for data leakage. Many technologies exists today to assist an organisation lock down a PC or employee laptop but the question needs to be asked should the information have even got there in the first place.
In my role looking at security at enterprise security requirements i see time and time again the lack of ability to even know who has access to what in a company. The basic understanding of access rights is further complicated these days with the alignment of organisational roles to technologies access lists. Anyone in the Identity Management arena will know of the term “orphan accounts.” This is a term that describes accounts in systems that appear to no longer have an legitimate currently employee attached to them. This is one of the fundamental steps in minimising data leakage; you need to know who can access this information first.
Once a company has a handle on the “who has access to what” paradigm the next challenge is to know if an employee has viewed data that is relevant to their role in a company. Companies have a responsibility to lock down employee tax file numbers and payroll information. But most companies have no idea who can in fact read this information including sys dba’s and any one that has root access to the underlying database are two examples where the role entitles the individual to access highly sensitive information and minimum controls exists in most companies to handle this scenario. Comprehensive detective that can audit super user access, and even better preventative controls need to be put in place.
Data protection needs to look at how of course data can be locked down on a device, but also who has access to what, how it system access relates to business roles and what detective and preventative controls can be put in place.
Carl Terrantroy
Director Security Technology Oracle ANZ
I don’t think the major issue is around how we secure the data over the wire, or ensure access rights to the data over the longer term using some centralised or proprietary piece of access management technology.
In many instances the data was lost because a laptop was stolen/lost/etc. This is pretty easy to fix, given a few key requirements are met up front.
Most modern laptops come with built in TPM chips and software which makes use of the TPM chip to do full-disk encryption isn’t terribly expensive either.
I’m using Vista with Bitlocker on my personal – laptop mainly for testing purposes – it works seamlessly, and I’m pretty well assured that nobody can access any of my data unless they have my password. Not even pulling the drive out will get them anywhere.
It’s simple enough that it can be managed by central network rules, and users don’t have to even know that anything has changed.
Of course, stolen laptops arn’t the only risk, but it would have to be one of the bigger ones that’s fairly easily mitigated.
– Will.
Will, Paul & Carl thanks for stopping by! Very interesting comments.
@Paul ‘Content Centric Security’ does solve part of the problem but still requires the data to have some form of digital rights management in the first place. I guess it could be implemented by default for every file on a device. Which would solve the Stanford issue. But how does it get around where files still need to be moved around such as the example Carl highlighted “alignment of organisational roles to technologies access lists”?
I guess further question is how do we protect all this data in a world of mashups??