Lock the Door and Make Sure Your Data is Protected

You would think that at some point in time your children will reach the age at which you can reason with them, I’m hoping it’s a year older than the oldest one is right now – none of mine have achieved this rarefied state yet so I’m still living in hope. For example take the simple concept of locking the back door before they leave the house and you would expect that they could understand the rationale. After all they’ve spent all these years watching their mother go back into the house at least twice just to double check that I did do it before I locked the front door. But somehow it seems that this concept is overly complex. Of course this is just one of a long list of what I consider apparently rational ideas that seem revolutionary to them such as “slow down at speed cameras”, “fill up the tank at least once a year”, etc. However, if we dare enter one of the bedrooms that look as if a hurricane has just passed through it, we might as well have compromised national security.

Somehow it seems that the concept of treating other peoples’ property with the same care that you treat your own seems alien, even in the family. So I guess it should not come as a great surprise that other peoples’ sons and daughters are exactly the same. And every business is full of other peoples’ sons and daughters. So it only seems logical that somebody has to be mother in any business – double checking that the backdoor is locked.
As we discovered in a recent survey not only are backdoors left open but frequently although people know they are open they can’t be bothered closing them – after all they might need access themselves at some point. More than a third of people interviewed admitted that they still had backdoor access to their old employers’ data and a quarter of those interviewed knew that former colleagues could access – and yet they did nothing about it – My family would be proud of them!

How serious can a backdoor be? The recent example of a large global retailer who was “hacked” for several months, maybe a couple of years, resulting in huge amounts of customer data going out the “backdoor” – they may never know just how much the lost – is clearly just the tip of the iceberg – unless the other 99.99% of those with backdoor access are only keeping their backdoor access out of some sentimental reason. One reason why one could suspect that it might have been a former employee is the quote from the company – “We believe that the intruder had access to the decryption tool for the encryption software utilized..” – Now either they are using the worst encryption tool ever invented in which case they have duty to name the supplier, or more likely somebody “accidentally” managed to access the recovery keys – or maybe it was supposed to be encrypted. Like the recent incident with a UK bank, “The disk would usually be encrypted. Unfortunately, due to human error on this occasion the usual policy was not followed.”

What these two incidents point is that many organizations need to seriously address the issues of how to protect sensitive data, and how to control privileged access to systems. Simply encrypting sensitive data is of little use if those who manage the systems where the data is kept have uncontrolled access. Conversely, protecting the privileged password is all well and good but if the user can access highly confidential data, without leaving any trace, after gaining access to the password then it defeats one of the major purposes of protecting privileged accounts.

For example, the Payment Card Industry (PCI) standard requires the protection of stored cardholder data, and restricting access to cardholder data by business need-to-know. SOX mandates that corporate management take responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting. In other words, if you are staff are able to have unauthorized access to sensitive data once they have access to a privileged password then you’re only addressing half the problem.

That two major companies have made headlines is more an indication of the overall state of data security within organizations. No one would deny that both organisations have the means to deploy the best technology, the problem I would suggest is that they both appear to have placed to much trust in the integrity of staff, and where overly dependent on staff carrying out their responsibilities effectively. Despite the fact that the buck stops at the top, the first people who should come under serious scrutiny are the senior security staff whose job it is to ensure that these incidents do not happen.

Passwords – Protecting the Key
Passwords remain the primary key used to unlock access to business-technology systems. Passwords need to have limited use-life. System-level passwords, such as those used to gain access to networking equipment and server/application administration need to be changed regularly, and in some cases should be “one-time-only”. All privileged or “super” user passwords should be centrally maintained and managed. Basic employee passwords used to access business applications, computers, e-mail accounts etc., should be similarly recycled regularly. Despite widespread knowledge of sound password policy, many organizations still fail to adequately create, manage, and retire their usernames and passwords effectively.

Securing Data – Hiding the Family Jewels
Given the continuous news of lost backup tapes and unauthorized access to corporate databases, more attention needs to be given to the effective encryption of “data-at-rest”. Encrypting stored data can be one of the most critical facets of an organization’s defense-in-depth strategy.
Securing data while it travels between applications, business partners, suppliers, customers, and other members of an extended enterprise is crucial. As enterprise networks continue to become increasingly accessible, with more and more organizations adopting an “Internet Centric” model, so do the risks that information will be intercepted or altered in transmission difficult to manage.

This is the very essence of the Vaulting Technology. Vaulting Technology makes certain that an inevitable slip in an organizations security posture won’t result in stolen intellectual property, or having to inform customers that they’re at risk of identity theft because their personally. Today many companies are still exchanging highly sensitive data by couriers because the infrastructures they have in place have not addressed the protection of highly sensitive data. It’s a bit like having email but still relying on the Pony Express for the really critical stuff! Certain traditions are not worth keeping!

There was a day when everything was committed to paper and locked in a secure vault or safe in the office. Nowadays everything is digital but it still needs to be locked away in a digital vault. After all somebody is bound to forget to lock the door sooner or later.