The industry is being pulled in two directions – the need to proliferate access to corporate data – everything from global trials to Internet therapy portals – and the need to protect intellectual property rights. The FDA has added its two penn’orth in the form of Part 11, but has chosen (quite rightly, I believe) not to be proscriptive, by simply issuing guideline objectives. So, where does that leave managers tasked with securing corporate and operational data?
It should be simple. First task is to restrict access (using anything from passwords to fingerprint recognition to smart cards); secondly, to frustrate anyone who manages to breach the first hurdle (typically, with encryption techniques). The reality is far from simple. Let us begin by examining some of the exposures.
Biometric watchdogs – without a full set of teeth
Biometric techniques, such as fingerprint recognition or retinal scans are very much flavour of the month and they certainly do have some compelling strengths. They are highly specific and incredibly easy to use – there is nothing to remember. They are also high tech, so they must be good.
In reality, they are nothing more than a complex password. Putting aside the problems and cost of implementing the necessary hardware across the extended enterprise, including field workers such as trials monitors, not to mention CROs, there can still be an overwhelming weak link. If, in order to validate the fingerprint or scan, a record of the original is kept somewhere on the network, then that record is just as vulnerable as any other record on the system. Not only is it vulnerable to external hackers, it is also sitting on a network that is managed and probably routinely backed up by a junior in the IT department – available to be copied electronically. In fact, biometric checks are nothing more than cleverly packaged static passwords and, apart from ease of use, can be almost as vulnerable.
Encryption – a shaky Tower of Babel
The concept of encryption is not new – the Third Reich employed an (almost) perfect technique of converting information into gibberish that could be deciphered only with the appropriate key. Modern computer encryption techniques are remarkably secure, but they can suffer operational problems.
Until recently, the problem with encryption has been the need to compromise – a choice between one of two strategies. Either adding more bolts to the door or accepting enormous overheads in terms of developing, rolling out and maintaining the encryption environment. Adding more bolts (too much authentification) makes for a user un-friendly operating environment, with complex logging on and spending what can seem like an eternity waiting for the on-screen ‘egg timer’, encouraging users to disable encryption. On the other hand, making encryption transparent to the user (normally through something known as partition encryption) involved high costs, and a protracted period of implementation with, for example 1 gigabyte of disk space taking typically 40 minutes to encrypt, even when empty!
The proliferation of laptop computers also compounds the potential for security breaches. Typically, a user’s encryption key has been stored on the laptop (it would be pointless sending it up and down the network). Laptops are frequently stolen from cars – complete with highly sensitive data complete with the encryption key!
Outsourcing the non-core – outsourcing the secrets
There are compelling arguments for outsourcing non-core elements of the business, but this simply exacerbates the security exposure. To put a figure to the problem, an IDC report asking top company executives about outsourcing, reveals that 87% believe that security was the dominant issue. In more than 50% of instances where companies pull back from the outsourcing decision, it is simply because of the security exposure. Stated simply: whoever has administrative access to the infrastructure, has access to the data content. In all currently available systems – everything from mainframe legacy systems to fileservers and client workstations – whoever has administrative rights to the operating systems, has access to the data content. Even using Microsoft’s encrypted file system (EFS), if you are an administrator of the operating systems or Domain, you either have automatic access, or can get access, to the data content, encrypted or not.
Security in today’s real world
I have painted a somewhat black picture. There are techniques available today that almost completely address the issues that I have described but, surprisingly, even data security professionals are frequently not au fait. There are simple solutions to securing data across extended networks, the internet and even physically vulnerable laptops, and there are ways of outsourcing functions whilst retaining an iron control over access to the data (even from within the It department). And the good news is that it is even possible to ratchet up security whilst making life easier for end users.
The secret is for the board not to abrogate responsibility on the grounds that IT security is a complex, technical problem. They really need to invest the time into understanding the issues and being able to assess for themselves whether the right security strategy is in place.
Armoursoft is a leading data security organisation, specialising in encription and data access solutions. Company web site: http://www.armoursoft.com