Cyber Eye: For crying out loud, encrypt data at rest
The nation owes a debt of gratitude to California, which last year began requiring that companies doing business in the state notify consumers whose unencrypted personal data has been compromised. Because so many companies do business in California, the law has in effect become a de facto national requirement.
In the wake of this law has come a steady stream of announcements that personally identifiable information on millions of individuals has been lost, stolen or misused. The largest incident (as of this writing) was the loss of data on 3.9 million persons by CitiFinancial, the consumer-finance division of Citigroup. But that is only the latest in a long list of losses reported by financial institutions, data brokers and universities.
Interestingly, although online transactions and the vulnerability of digital data have brought the issue of identity theft to the fore, few if any of the high-profile compromises have involved hacking. Digital data is being compromised at an alarming rate through old-fashioned fraud and the loss of such physical media as notebook computers and tapes.
The message here is clear: There is little meaningful distinction between physical security and cybersecurity.
Treating these two areas separately allows gaps in what should be a seamless security fabric. The best firewalls, intrusion detection and prevention systems, and antivirus programs can't protect anyone against a notebook loaded with sensitive data being left unattended in an unsecured office, or a box of computer tapes disappearing en route from one facility to another.
The first rule in securing data, no matter what form it is in or what media it resides on, is 'be careful.' But policies on the handling of data are difficult to enforce, and the people who run the networks have little or no control over the people who sit at the far end of a network connection or who throw a package into the back of a truck. But there are a couple of things that can be done to stem this data leakage that is rapidly becoming a flood.
One is to limit as much as possible the transfer of data between one medium and another, because every transfer can mean one more exposed copy of the data and one more set of risks to guard against. Is it really necessary for someone to have millions of names and Social Security numbers on a notebook? If it is, OK. Be careful with it. But if it isn't, leave the data where it is. And if you're transferring large amounts of data from one place to another, should it really be done on tapes? The Patent and Trademark Office has begun using a secure file transfer system to avoid just this problem [see GCN, June 20, Page 48]. Gigabytes of sensitive patent information on tape were previously trucked between its Northern Virginia headquarters and a contractor in Horsham, Pa. Security on the new system isn't perfect; nothing is. But it eliminates the worry over what happens to that truck between the time it pulls away from one loading dock and arrives at another.
Another measure agencies could take is to encrypt data where it's stored. Encryption of links is common when data is transmitted, but data is most vulnerable when it is at rest. Databases should be encrypted, and if it really is necessary to put that data on a notebook, it should be encrypted there, too. And if you must ship a backup tape cross-country, there is no reason to do it unencrypted.
This won't save anyone who loses track of sensitive data from turning red-faced, but it can help ease worries about potential misuse of the data. n
William Jackson is a GCN senior writer. E-mail him at firstname.lastname@example.org.