It's Audit Time. Do You Know Where Your Private Data Is?

Where in an enterprise computing infrastructure is private data most vulnerable? Ask any vendor, analyst, or politician, and they'll probably say something about the Internet, or perhaps outsourcing or wireless networks. But ask anyone running an IT department with a large number of laptops, and you'll likely hear a different story.

While vendors, analysts, and reporters have focused on network security, a much more serious threat has been neglected--namely, physical security, and in particular stolen mobile devices.

Theft has been a problem since the first suitcase-sized portable PCs appeared two decades ago, but it's getting much worse as laptops become standard issue in many organizations. And it isn't just laptops: Exponential increases in storage density mean that data is also at risk on PDAs, cell phones, and removable media such as DVDs and USB flash drives.

In an IT Architect poll, readers presented with 11 choices voted on laptops and handheld devices as the place where private data is most vulnerable--ahead even of such obviously insecure systems as Internet e-mail (see "Private Data", left). That isn't just paranoia. According to the FBI and the Computer Security Institute (CSI), people are more likely to be a victim of laptop theft than any other computer crime except malware infection. At least a thousand laptops go missing in the United States every day, of which fewer than 3 percent are ever recovered. Combining police statistics with IDC's estimates of the total PC market reveals that about one in every 10 laptops will eventually be stolen.That's the bad news. The even worse news is that the problem has been ignored for a reason: It couldn't be solved and still can't. Low-tech solutions such as padlocks can help, but they don't stop muggers or malicious insiders. Security policies can limit the kind of data stored on a device, but overly restrictive rules will be ignored. Tracking services that aim to locate stolen machines have more potential, but they're unproven and have privacy implications of their own.

The fashionable fix is full-disk encryption. But while that may be enough to comply with regulations, enterprises concerned about industrial espionage also need to consider key management and authentication. Encrypted data is only as secure as the key required to decrypt it.

WORK TO RULE

It's often said that security is a process, not a product. Unfortunately, the only truly secure process is to not use mobile devices at all--something that will prove unacceptable in most organizations. Mobile devices are so useful that their benefits almost always outweigh the security risks.

Another possibility is to institute policies about what data can be stored on a mobile device. Salespeople can be told it's okay for their laptops to contain an archive of PowerPoint presentations, but not a local copy of the CRM database. However, these restrictions are difficult to enforce, and most employees are more concerned about getting their jobs done than about IT security.Encryption vendor Pointsec says its customers include several household-name banks, whose employees often fill their laptops with tens of thousands of people's confidential account records. Simply barring such sensitive information from a laptop might sound like a more secure choice, but mobile computing is just too convenient. Banks find that the certain productivity boost of letting a salesperson analyze likely prospects on the road is worth the potential risk.

Where people do accept that some information should be deleted, they may lack the skills to do so completely. While most Windows users know that files sent to the Recycle Bin haven't really been deleted, fewer understand that even emptying it only deletes directory entries, leaving the files themselves readable by sector-scanning tools. Although secure deletion tools that actually overwrite files are included in most desktop security suites, they can take several seconds or minutes to erase a large file and consume valuable battery power.

LOCK AND LOAD

Rather than prevent devices from being used, a security policy can try to prevent devices from being stolen. This is more likely to gain organizational support because it's seen as helping mobile workers, not hindering them. While the risk of a data leak is hard to quantify, the negative consequences of being without a laptop are immediate and the replacement cost obvious.However, some sensible-sounding policies don't work in the real world. For example, many well-meaning IT departments tell people not to leave a laptop unattended in a hotel room, or if they have to, to lock it inside the in-room safe. This ignores the fact that most in-room safes aren't large enough for laptops, and that thefts from hotel rooms are comparatively rare.

A professional criminal is more likely to target public or semi-public areas such as convention centers, airports, and offices. Opportunists are more likely to keep the devices they find left behind under a restaurant table or in the back of a taxi.

According to IT Architect's poll, the most popular laptop security measure is a lockable docking station (see "Physical Security", below). The attraction is obvious but limited because docking stations are designed only to be used in the office. Portable locks and chains are another popular option, but they're often impractical. They can also contradict the most obvious security precaution of all, which is never to leave anything valuable and portable unattended in a public place. Making that a policy while handing out bicycle-style chains can be reminiscent of parents talking to kids about sex and drugs: Don't do it, but just in case you do...

PRIVATE PARTS

Even conscientious employees with the right tools aren't safe. One former executive at a well-known security vendor told IT Architect how he took all the right physical measures to protect the laptop that contained his company's secret firewall and VPN concentrator blueprints, only to be mugged at gunpoint. Now he always encrypts his data.He's not alone. A third of respondents in IT Architect's poll already encrypt data on mobile devices, and the industry is set to promote the practice aggressively next year. Most new laptops already include a cryptographic coprocessor called the Trusted Platform Module (TPM), and encryption will be a standard feature in Microsoft's Windows Vista (a.k.a. Longhorn), the XP successor due in late 2006. Seagate Technology is even building encryption right into laptop hard drives.

These and other encryption technologies can be useful, but the current efforts are driven mostly by regulatory compliance, which isn't necessarily the same as a good security policy. For example, California's Security Breach Information Act (SB 1386) makes a specific exemption for encrypted data: Companies that leak private data about California residents have to notify the affected people, but only if the data stolen was unencrypted. A proposed federal law, the Notification of Risk to Personal Data Act (S. 115), will mandate the same notification nationwide, with the same exemption.

Exempting encrypted data seems to make sense. An encrypted file looks like random noise, so it wouldn't be of any use to a thief. The loophole is that the rules don't say what kind of encryption to use, or what to do with the key. A company concerned only with compliance could use a trivial method such as ROT-13, or store the keys in plain text along with the encrypted data. The latter is particularly tempting: Like writing down passwords, it can make users' lives significantly easier.

To resolve this and other ambiguities, California's Office of Privacy Protection issued a clarification that defined encryption as AES, the government's official encryption system. However, the clarification has no official legal force, the act hasn't been tested in court, and there's still no mention of key management.

TOKEN EFFORTThe biggest issue facing encryption on mobile devices is what to do with the cryptographic keys. When data is being sent over a network, keys can be kept safely behind firewalls at each end of the link. But with laptops and other mobile devices, the keys need to be mobile, too. Encryption was invented to prevent access to information in transit, mobile devices for the opposite purpose.

The most secure place to keep an encryption key is in the user's head, but it's unreasonable to expect people to remember long random numbers. Whereas key lengths need to increase by about one bit every year to keep pace with Moore's Law, human brainpower hasn't improved since the Stone Age.

The obvious solution is to use some other physical device such as a token card, but most people keep these alongside their laptop. Another approach is to generate a key from biometric data, probably combined with a password, but this requires hardware that isn't widespread yet. Only IBM and Fujitsu currently offer laptops with built-in fingerprint readers. Most vendors are instead turning to the TPM, a dedicated PKI chip.

Compared to other hardware options, the TPM doesn't seem ideal for key storage. Unlike a USB dongle, a token card, or even a password written on a Post-it note, there's no possibility of keeping it separate from the laptop itself.

However, the chip is designed to be secure against software attacks because all cryptographic operations happen on the TPM. Usually, it's set only to decrypt for people who authenticate using a password, token, or biometric. It provides some protection against dictionary attacks because the key used for encryption is always random, not generated from a password.The chip isn't completely secure against hardware attacks, so a highly skilled hacker motivated by industrial espionage may be able to retrieve the key. But it should deter ordinary thieves whose primary interest is in the hardware's resale value.

WHAT AND WHERE

IT managers also need to decide just what to encrypt. Encrypting program files will add performance overhead for no real security benefit, so the traditional approach is to encrypt only select files or particular folders--usually My Documents.

Encrypting files and folders using password-derived keys is relatively easy. Windows 2000 and XP Professional include an AES-based Encrypted File System (EFS), and there are many open-source utilities that will create encrypted virtual drives or partitions. However, automated key management and support for smart cards or hardware tokens will usually require additional third-party software.

For example, PC Guardian Technologies allows keys to be stored on removable devices such as USB flash drives and can ensure that certain types of files are always saved to the encrypted area. Wave Systems specializes in storing keys on the TPM, which Windows won't support natively until Vista. While IBM, HP, and other laptop manufacturers do provide software that integrates their TPMs with EFS, this is usually limited to single-vendor environments.Separating data from programs also simplifies backup. Everything that needs to be backed up is conveniently stored together and already encrypted, so no extra precautions need to be taken with the backup media. Its other big benefit is flexibility, allowing users to apply different levels of security to different data sets.

This is vital in some industries. For example, an associate at a law firm may handle information protected by attorney-client privileges, or a journalist at a newspaper may have confidential sources. In both cases, the individual employees have a legal or ethical duty to protect that information from everyone--including their own employers' IT department and senior management.

Flexibility comes at a cost, however. Many applications write to temporary files, which may not be on the encrypted drive. Even worse, the encryption keys themselves may be held within either the swap file used by Windows when memory overflows beyond physical RAM, or the hibernation partition in which laptops store memory contents while switched off. Just like ordinary files that have been deleted but not yet overwritten, these are vulnerable to sector-scanning tools.

ENCRYPTION EVERYWHERE

To protect temporary files, the industry is moving toward full-disk encryption: Simply encrypt everything on its way to the hard drive, including executable files. While that does hurt performance, continuing improvements in hardware mean its impact gets less noticeable all the time. This is the approach that Microsoft takes in Windows Vista through a feature called Secure Startup. The name is designed to highlight the feature's other claimed benefit: Because it also signs files, it can verify which programs are loaded at boot time.Pointsec, PC Guardian, and most other vendors of file and folder encryption software also offer full-disk options, often within the same product. There's no real difference between encrypting a few files or an entire hard disk, so the only barrier is the potential performance penalty. Few of the vendors are worried about Microsoft entering their market, pointing out that they already compete successfully with EFS. Like EFS, Secure Startup lacks key management features. It also requires the TPM for key storage, while third-party products can use keys generated from passwords or stored on removable media.

The software vendors may face stronger competition from hardware. In July, Seagate announced a laptop form factor (2.5-inch) hard drive that includes cryptographic hardware. The advantage here is that the encryption and decryption happen at wire speed, without requiring a particular OS or burdening the CPU. The disadvantage is that at present it's limited to Triple DES, though an AES version is planned for next year. While few cryptographers believe that Triple DES will be cracked anytime soon, AES is theoretically stronger and mandated by the Federal Information Processing Standards (FIPS).

Available in capacities from 40 to 120GB, the drive stores keys in a special partition that's inaccessible to other components and supports authentication via password, TPM, or several popular types of smart cards. Seagate is also hoping that laptop OEMs will integrate it with their own authentication mechanisms, such as the fingerprint sensors on IBM and Fujitsu machines.

IT PHONE HOME

A well-designed encryption system can help prevent thieves from accessing data, but it won't actually catch them or recover stolen hardware. For that, some organizations--including a quarter of IT Architect's survey respondents--install software backdoors on laptops. Most are aimed simply at tracking machines, though many vendors are investigating the possibility of using them to delete data or disable functionality.In principle, an IT department could handle this in-house. However, most remote control software is intended for more mundane management tasks such as technical support, or created by black hats wanting to hijack machines for use in spam and other denial-of-service attacks. Then there's the difficulty of physically locating a computer. This was relatively easy back when laptops relied on dial-up modems, but has become much harder thanks to Wi-Fi hotspots and consumer broadband.

For these reasons, tracking is usually outsourced to service providers such as Synet Solutions and Stealth Signal. Charging about $50 per machine per year, all are based on software that secretly dials a number or pings a server at regular intervals, and most claim to have proprietary technologies for mapping IP addresses to geography. Some can instruct stolen machines to increase the ping frequency so that tracking is easier, and Computrace also offers the option of remotely erasing a hard disk.

Software can be deleted, of course. Although the programs used by these services are designed to be difficult to remove, a skilled hacker could do it, and an unskilled thief might simply reinstall a fresh OS. To get around this, some companies plan to embed monitoring or remote control capabilities into hardware, or use the TPM's signing capability to prevent a machine from being used if the software has been tampered with.

Intel is already shipping desktop motherboards that include remote control functions within the same chip as the onboard Ethernet NIC. Known as Active Management Technology (AMT), it currently lets administrators reboot a machine or alter BIOS settings, but future plans include the ability to install software or take control of a PC while it's running. A laptop version, possibly integrated into the Centrino Wi-Fi NIC, will be available early next year.

However, the thief's ability to remove software backdoors may actually be an advantage, at least to IT departments whose main security priority is to protect data rather than the hardware itself. A sticker warning that a device is being tracked can act as a deterrent, persuading thieves to reformat the laptop's hard disk immediately rather than try to access any sensitive information.Read Andy Dornan's blog posts and send him e-mail at [email protected].

Privacy Panel Discussion

As part of Network Magazine's Data Privacy series, we invited three security experts to discuss critical issues relating to information protection. Selected excerpts will accompany each article in the series, but we've posted the entire discussion here. You can click on a specific question to jump to the responses, or read the full discussion.

1) Is the recent rash of data privacy outbreaks the result of a dramatically growing problem, or are companies now forced to publicize them?

Rubin: The former. The level of malicious penetration has dramatically increased in recent times. This is due to wider proliferation of zombies, continuing vulnerability of Windows, people not keeping up with patches, and increased sophistication and personal networking among the bad guys.

Herold: I agree, with some caveats. Technology is more complex than ever before, businesses are sharing information with other businesses more than ever before, and information handling and processing capabilities by personnel and business partners are more mobile and diversified than ever before. These situations have created even more risks than in the past for security breaches to occur. Security is much more under the control of end users than ever before, and most end users aren't aware of the risks or how to properly protect against privacy and security incidents.However, there are still the old security breaches occurring that have been the centerpieces of recent incident news, such as losing backup tapes, having printed confidential information distributed publicly because of improper handling and disposal practices, and fraudulent use of information by authorized employees. The number of insider incidents by personnel in trusted positions continues to grow. So yes, the problem is growing because there are more ways and opportunities for breaches to occur-both technically and non-technically.

Privacy is also a topic that wasn't really talked about with much significance in the business world up until around five to 10 years ago. Incidents are occurring now that weren't considered incidents back then. Now that consumers are more savvy and aware of the risks to their privacy through improper business handling practices, and with the advent of emerging complex and mobile technologies, businesses are starting to become more aware of the risks to privacy, but they still haven't dramatically changed their information-handling practices, which also contributes to having more privacy incidents.

Richardson: A question for Rebecca: For starters, when you say "security is much more under the control of end users than ever before," I find myself wondering which of a couple of things you mean. Do you mean individuals have to look out for themselves more than ever? Or do you mean we entrust more security functions to end users?

Herold: As recently as 10 years ago (and probably even less than this), most of data security could be centralized. The information was primarily structured data under the centralized control of the infosec (or IT admin) area, stored on a mainframe, accessible through terminal sessions, and unable to be downloaded to desktops or mobile devices. Technology advances have changed this dramatically. A few studies from 2004 demonstrate this: An IDC study revealed that unstructured data (very generally, word documents, spreadsheets, e-mails, and other types of documents that end users ultimately decide how to distribute, protect, and so on) doubles every two months in large corporations. A Goldman Sachs study showed that 90 percent of data within a corporation is unstructured data. A Meta Group survey showed that the average large corporation generates over 300,000 documents per month in the performance of mission-critical processes. End users are ultimately responsible for securing information more than ever before-they're controlling how the information is secured.

So yes, end users are entrusted with more security oversight and functions than ever before by the very utility of new technologies. It's not a choice organizations have really consciously made, but one that evolved from having to address the proliferation of handheld computing devices, wireless computing, and work-from-home situations, among other things. Hopefully the end users have received the training and awareness-not to mention the policies and procedures to follow-to do what's appropriate to safeguard this information. However, it's likely that they don't receive enough information necessary to adequately protect the information they're sending in e-mails, storing in PDAs and BlackBerries, and processing on their home family laptop.Richardson: I've been asked by newspapers a couple times recently whether or not there are actually more data theft incidents, or whether there are just more of them coming to light because of legislation requiring disclosure. I've tried to think about this in light of the CSI/FBI survey statistics over the years. They've shown organizations reporting fewer and fewer intrusions to the police (in 2001, 36 percent of respondents who had suffered an intrusion reported it to the police-it's dropped to 20 percent since then). If there's less reporting, but we're hearing about more incidents, then one might argue that there must be lots more incidents. But I don't buy that argument, to tell you the truth. The real point is that organizations have never been eager to talk to the police, let alone their customers. Because organizations fear public and legal backlash, they're being more responsible about disclosing incidents. But having given it some reflection, my opinion is that there hasn't been an overall increase in incidents-companies are just talking about it more openly out of fear that not talking about it will make things worse in the long run.

As an aside, it seems likely that many organizations aren't reporting incidents even though they're legally required to do so. Something on the order of one in five of our survey respondents say they've suffered theft of proprietary data. Let's say that only one quarter of these crimes involve the theft of customer data. That would still suggest that one in 20 of our survey respondents had a data breach that they might need to notify customers about. There were 500 respondents last year, meaning that one might have expected a couple dozen such notifications. And this from only 500 respondents-think how many corporations there are in the country. So far this year, we've had something of a media frenzy looking for these kinds of crimes and really only a half dozen or so have surfaced. There probably should have been hundreds. I harbor a strong suspicion that most such breaches go unreported (and always have).

While I believe the number of incidents is the same or perhaps even lower, I also believe the potential damage from crimes where private data is stolen has increased dramatically, but that's an issue for another day. Furthermore, it seems pretty clear that there's more incentive to steal such data these days, so if the number of breaches hasn't increased yet, it seems likely that it will, simply because there's more and more money at stake.

Herold: I agree the damage from crimes has increased dramatically. However, I disagree that the number of incidents are the same or lower. Incidents can involve more than just fraud or theft. Some incidents are accidents, some are malicious, and some are the result of sloppy management of personal information that customers discover and publicize or take to court. Some incidents are wrong decisions organizations make to share personal data with third parties and then the third parties end up misusing the data, and some incidents are never reported because the organization doesn't realize there's personal information involved (for example, a laptop lost containing a database of customer personal information). Because data processing, handling, and storage is now so widely dispersed and decentralized, and because there's more personal data in existence than ever before, it follows that there will be more incidents. Security is now predominately in the hands of end users, and technology evolves much more quickly than the security that can be applied to it. More incidents will occur as security tries to catch up, and as the caretakers of personal information don't realize the risks involved and make poor security-related decisions.

Richardson: Following along behind Rebecca's comments, I agree with pretty much all she has to say with regard to the prior centralization of databases, say, ten years ago. I may have been a bit sloppy in my earlier remarks. What I was trying to focus on, however, was the question of whether the latest spate of media coverage of data breaches is a result of more incidents, or more reporting by companies. It's certainly true that if you go back far enough to pre-Internet days and then even further back to pre-PC networks, the whole cybercrime picture is entirely different-absolutely. But if we merely go back prior to the California disclosure law-and to be honest I don't think anyone has the data to show one way or the other for sure-I suspect there were as many of at least some kinds of breaches, such as backup tapes getting lost in the mail, fraudsters bilking credit data brokers out of their customer data, and so on. I'd argue that there were probably as many data mishaps in, say, 2002 as there will be in 2005.Or at least there are as many incidents where databases are breached and lots of records are stolen. Rebecca made a great point that more and more data is also being stored in unstructured formats. This data is no doubt leaking off lots and lots of individual desktops. I'm a little skeptical about the Goldman Sachs 90 percent number mentioned, but the main point holds that there are a lot more spreadsheets floating around on individual desktops with little or no real security. It's hard to say what the real overall impact of this is (I've got a lot of company data on my machine, for instance, but I don't think any of it could be used for identity fraud), but it's definitely worth thinking about in addition to worrying about more conventional network and database breaches.

In any case, the stakes are higher. top

2) Do you think laws such as California's SB 1386 will actually prompt companies to implement better privacy and security controls? Or is it more cost-effective to maintain the status quo and then just write off whatever fines and bad publicity accompany a breach? (Or, more cynically, are these laws just more incentive to cover up a breach?)

Rubin: I think the law is a step in the right direction. If companies are worried about embarrassment, they're more likely to clean their own house. Currently, there's little incentive for companies to protect data about other people who aren't their customers.

Herold: I believe that in an idealistic world, laws wouldn't be necessary. However, realistically, businesses will only spend money if they can see a return on investment, so laws are definitely needed to provide the motivation for organizations to significantly improve their security and privacy controls. Some companies are gambling that they'll either not have anything bad happen to them, or that if something bad does happen, that no one will find out or that none of the regulators will ever come knocking on their door to check their compliance. However, with the increased number of news items reporting the wide range and variety of privacy and security incidents, organizations are starting to realize that they need to be prepared or face not only fines, penalties, and possible civil actions, but also be significantly impacted through lower stock values and decreased value of their corporate brand following an incident. Smart business leaders realize that they can't afford to take that gamble-the odds are becoming less and less in their favor.Richardson: I think legislation has had a net positive effect on the security of most organizations. Some studies suggest that more money is being spent on security. Businesses in some sectors (medical, financial) surely must have decided that they can't afford to be blasted in public by a large-scale incident. But my take is that current legislation doesn't really get the whole job done because individual citizens still have no real protection or redress from crimes against them occurring as a result of sloppy security at organizations that may store information about them even without their knowledge. Given the increasing reach of corporations and the personal data they store, this really isn't acceptable.top

3) What measures should organizations take to prevent data leakage when portable devices are lost or stolen? Laptops are the obvious examples, but PDAs, cell phones, USB drives, and even iPods can store large amounts of data, making them tempting targets for thieves. Encryption seems like an obvious solution, but if this is used, how can the cryptographic keys be stored? (For example, keys generated from passwords are vulnerable to dictionary attacks, and users are prone to leave their token cards alongside their laptops.)

Rubin: I have a solution to this. Since I use a Mac, there's something called an encrypted file system. It exists in Windows as well. I create logical drives that are encrypted and stored as encrypted flat files. When I mount them, I'm prompted for a passphrase, which I make very long and hard to guess, and which I remember because I've been using it for a long time. Once the drive is mounted, it appears as a normal directory. When I unmount the drive, it reverts to an encrypted flat file. On a Mac, you can add the key to the key ring and keep the key ring encrypted. These encrypted file systems are actually easier to use than they sound, and you can move encrypted drives around like regular files. It gets a little trickier on mobile devices. These systems have such insecure OSs right now that my advice is just not to put anything sensitive on them, whether it's a PDA or a cell phone. If you lose your cell phone and someone finds it, even if you password-protect the data it's pretty easy to recover the information.

One thing that's intrigued me lately are the so-called "phone home" services where a stolen or lost laptop tries to connect to a security service whenever it's connected to the Internet. This enables one to find a lost laptop and can lead to the thieves being caught. These services are gaining in popularity, although they've been around for a while. Who knows? Maybe in the future, thieves won't connect a laptop to the network until they've wiped it clean after stealing whatever data they wanted.

In summary, don't put anything sensitive on USB drives, iPods, or cell phones. Do use encrypted file systems on your laptop. And do get a "phone home" service so that your laptop can get in touch even if it's stolen.s stolen.Richardson: I absolutely agree that encrypted volumes on hard drives are a great way to go. On current machines, the overhead of the encryption doesn't seem to particularly affect user-perceived performance, so the only downside is having to remember one's password or passphrase. People who have good schemes for creating memorable passwords (or folks like Avi, who just keep using the old one for a long time, which theoretically is a no-no but not nearly so problematic when talking about access to mount a disk volume because you have to be at the machine to do this) should have no problem with this.

I've also taken to keeping sensitive data (though, frankly, precious little of the stuff I work with is actually very sensitive) on USB memory sticks with encrypted volumes on them. You can do this automatically with some USB drives from Memorex, but there have been some vulnerabilities found in how these devices store the password, and I'm not sure what the status of this problem is at present. You can also do it using software to create a virtual drive on any plain-vanilla USB drive. When I travel, I keep the USB encrypted drive separate from the notebook. If the notebook is stolen, the sensitive stuff isn't even on it. If the USB drive is stolen, it's encrypted.

Avi is right that security isn't too impressive on PDAs and cell phones these days, but I wouldn't say it's an all-or-nothing proposition. It's possible to use encrypted Microsoft Word files on Palm devices, for instance. That's less-than-perfect protection, but for discouraging thieves who are just looking over the freshly stolen device to see if there's anything good, it's probably a sufficient deterrent. There are also third-party device password programs that will clean all the data off a PDA after a user-configurable number of failed login attempts. There are some issues with these utilities (some won't wipe installed memory cards clean, for instance), but provided that you're aware of them, they make for far better security than most people have on their desktop computers.

Unless your mobile phone is also a PDA and you can use a third-party utility to lock it down, I'd completely agree with Avi that nothing vital should be stored on it right now.

As for people keeping their tokens next to their notebooks (my token is sitting right next to my machine as I type this), here's my modest proposal for the industry: RSA or somebody else in the token business should team up with Timex or some other watchmaker and add token generation to all its digital watches. Press a button, get a one-time, six-digit number. Since it would be available across a broad range of watches, people could pick something they could stand to wear (maybe pretty much what they're wearing already). This way, people would always have the token on their wrists, not sitting around somewhere waiting to be lifted. The watch could be stolen, of course, but most people know right away when their watches have been stolen, so they could immediately report the theft.In the meantime, I think tokens still make a lot of sense. But to complement them, we have to require a password (which all the systems I've seen do), and we have to strive to get users comfortable with using and remembering strong passwords.

Of course, all this aims at a technical solution. In many ways, a better solution is to not allow certain kinds of privacy-related data on those laptops in the first place, but this is more of a policy issue than a technical one.

Rubin: For some time now, I've been advocating against password aging. I spent a bit of time in my last book, Firewalls and Internet Security (Addison-Wesley Professional, 2003), writing about that. When people are forced to change passwords, they invariably pick something that's derived from the last one (think rover1, rover2, rover3, and so on). Or they write them down and post them near the computer. My philosophy is:

1. Pick very good passphrases (not passwords, and include spaces).
2. Never ever write them down.
3. Never use them over an unencrypted connection.
4. Don't change them unless you have some reason to believe they were compromised.
5. Every once in a while, break rule number 4-like every three years.

I know this is controversial, but I can argue (and have) that changing passwords every 60 days leads to more security problems than it avoids, not to mention calls to the help desk to restore passwords and the social engineering attacks that go along with that habit.Richardson: I agree with Robert for the most part. I think changing passwords every 60 days simply doesn't work in practice, unless you only have one or two to keep track of. The way I approach passwords these days is to have a "base" password that I change every year or two, plus a system for altering the password in different contexts (at different Web sites, for instance). To be perfectly honest, I have a couple of different base passwords, one of which is for less secure systems, such as Web sites I don't necessarily trust. This is less than perfect in some ways, but does mean that I always use a different password on each different system, and that I can always recall what each password is, even if I haven't used it in a long while.

I also think that passphrases are a great idea, but there are an awful lot of systems where you can't use them, at least not yet. I think we're on the same page (as it were) where not writing passwords down is concerned, though I will concede that I also see there's something to be said for the less conventional argument that it's better to create strong passwords and write them down in a safe place as a way of avoiding the use of weak passwords. Bottom line, though, I think there's no reason why strong passwords shouldn't be memorable as well as strong.

Herold: "I think it's helpful to look at this and other information security and privacy issues from a couple of different ways-the ideal measures to take, and the practical or realistic measures. There are large numbers of personnel within organizations who have decided for themselves to use their own mobile devices. I know organizations where large numbers of marketing, sales, research, and other personnel load customer, consumer, and even employee data onto such mobile devices so that they can continue to work while away from the office.

The specific precautions a company chooses will depend on its own unique environment, business requirements, and the results of evaluating its risks (see "Privacy Policies For Portable Devices"). I also like the idea of "phone home" services or tools, as well as encrypting logical drives or even full disks."

top
4) When IT architects have limited time and resources to devote to keeping data private, which core technologies and practices should they focus their efforts on?

Rubin: I think having a clearly defined policy for user-identifying data is a must. Once a policy is in place, there needs to be a procedure for ensuring adherence to the policy. Technologies that can be used include data masking (where, for example, only a few digits of a credit card number or social security number are kept), encryption, and data destruction.

Herold: I agree with Avi that establishing clearly defined information security and privacy policies is necessary, as is implementing procedures to support the policies. Additionally, such policies and procedures must be strongly and visibly supported by executive management-most ideally by the CEO. If you want personnel to comply with policies and procedures, you must have strong leaders that communicate the importance-and requirement-of compliance. Following this, then, is the need for a strong, effective, and ongoing training and awareness program to communicate to all personnel how to comply with the privacy and security requirements during the course of their job activities, and make security and privacy a component of each position's job requirements and a consideration within each employee's yearly appraisal or review.

There are also several other core practices to focus on. You reference specifically the IT architects, but information privacy and security must become integrated into all business practices, from the beginning of the business service or product lifecycle to the retirement of the service or product throughout the entire organization-it's not something that can be successfully addressed through technologies alone.

However, if you want to focus just on IT and privacy management, I believe IT architects need to identify all the Personally Identifiable Information (PII) that their organization handles and map the flow of that PII from the points where it was collected through their networks to the points where the PII leaves the organization. Perform a privacy impact assessment to identify where the greatest risks are to the PII, then based upon risk apply the appropriate technologies. In some organizations, this may mean the implementation of encryption on all mobile computing devices; in others, it may mean implementing third-party data processor security requirements; and in still others, it may mean implementing records retention and effective data disposal solutions. It may also mean heightened efforts for legal and regulatory compliance actions, or it could be a combination of these and other actions. Organizations need to focus their efforts based on their own unique risks, which will vary from organization to organization. A mistake organizations often make is trying to implement the same risk management processes, technologies, programs, and so on that another organization has implemented successfully. Information security and privacy management within an organization must be unique to that organization's environment and risk levels, not based on someone else's.top
5) A relatively new technology category has cropped up that's referred to as "information leak prevention," "extrusion prevention," or "content monitoring." It's usually a combination of hardware and software that sits on a network and reads data going by, matching it against databases or fingerprints of private or confidential data, and quarantining anything that shouldn't pass through the firewall. Some vendors are Reconnex, Tablus, PortAuthority, and Palisade Systems. What do you think of this technology, and to what extent could it provide an answer to the data privacy problem?

Rubin: Full disclosure: I'm on the technical advisory board of Tablus, and I have an equity interest in the company.

I think this approach offers great promise. While false positives can be annoying, I can't think of a better way to monitor so that only "approved" content gets out of an organization. Clearly these technologies are easy for a clever attacker to defeat. However, they're effective against the 98 percent of users who aren't computer whizzes. Also, they're extremely useful against accidental and unintentional leaks of sensitive information.

I don't think any technology is going to provide the "answer" to the data privacy problem. The necessary ingredients are user awareness, helpful technologies such as the extrusion prevention ones mentioned here, vigilance, and adherence to data destruction, encryption, and access control policies.

Richardson I don't own a stake in any content monitoring solutions, but I nevertheless think they're pretty interesting and probably should be more widely deployed. Even for solutions where it's trivial for a hacker to bypass the monitoring, there's significant value simply in stopping accidental disclosures of information (such as forwarding sensitive e-mails offsite). Furthermore, in the case of hackers outside the perimeter, these monitoring solutions may be more effective than they would initially seem. If a monitor looks specifically for patient identity numbers at a health care organization, you might think the hacker could find the data, encrypt it so that it no longer had visible patient numbers, and the monitor would be useless. But it's hard to imagine that an outside hacker could find the numbers in the first place without looking at a few of them (and thus causing them to be sent across the wire and stopped at the perimeter). Obviously, whether this works or not depends on the specific situation and the sensitivity of the monitor, but I think this holds some promise.What I think holds more promise, however, is designing applications and databases so that the sort of data masking Avi mentions (along with encryption, where appropriate) is a routine component. I think the real solution to privacy is to make it very hard to steal information in a form that can actually be used for fraud and to track uses of data so that alarm bells will sound when stolen data is used to attempt a crime (you can't do this sort of thing now with, say, social security numbers, but that has as much to do with the outdated design of social security numbers than anything else).

Herold: This is indeed very interesting. I've noticed the emergence and growth of such technologies in the past few years, particularly with regard to organizations trying to comply with regulations such as HIPAA and the Gramm-Leach-Bliley Act. Such technologies create an intriguing dichotomy: They're being used to help preserve privacy by preventing the leakage of private information and protecting access to privacy information, yet they're also seen by some as tools that infringe upon the privacy of the people sending and receiving the information because of the effect of covert monitoring of employees or others that results. It would be an interesting exercise to examine whether or not the use of such tools in some jurisdictions would violate the laws there. For instance, would use within an organization in the United Kingdom violate the Data Protection Act of 1998? Would the use of such tools in France violate the Labour, Civil, and Criminal Codes? Also, would the use of such tools violate an organization's own published information security and privacy policies, particularly with regard to employee privacy and resulting in the need to update the policies prior to implementation of the tools? When evaluating whether or not to implement such tools, organizations should consider these other issues as well.

By the way, I don't own a stake in such tools either, but I find the conversations with vendors of these tools quite fascinating.

I strongly agree with Avi and Robert. Security and privacy must be built into all applications and network solutions from the very beginning of the lifecycle and follow through to the expiration of the application or network.

top
0