How Do You Deal With Sensitive Data?

imus writes "Just wondering how most IT shops secure sensitive data (customer records). Most centrally managed databases seem to be monitored and maintained very well and IT workers know when they are tampered with or when unauthorized access occurs. But what about employees who do legitimate selects from these databases and then load CSV files and other text files onto their laptops and PDAs? How are companies dealing with situations where the database is relatively secure, but end-use devices contain bits and pieces of sensitive business data, and sometimes whole segments? Does anyone use sensitive data discovery software such as Find_SSNs or Senf or other tools? Once found, how do you deal with it? Do you force encryption, delete it or prevent extracts?"

Easy

[pak9rabid]

Pay your employees enough to make protecting your company's data on their computers/PDAs worthwhile.

Re:Easy

[QuantumRiff]

Try having well written, very clear policies that that kind of action is forbiden. Of course, a piece of paper means crap to most employees, but the first time you fire someone for violating that policy, the grapevine and water cooler will provide more training than a dozen hour long meetings could convey..

Re:Easy

[techno-vampire]

Try having well written, very clear policies that that kind of action is forbiden.

It's all well and good having policies like that, but if your employees either don't know about them or can plausibly claim they don't know, they won't do any good. Every employee who has, or even might have access to sensitive data should be required to sign a copy of that policy and it should be part of their records. That way, if anything happens, they won't be able to pretend they didn't know they were violating company policy. Depending on local laws, this might help you avoid (or defend) a suit for wrongful termination.

Re:Easy

[syousef]

but the first time you fire someone for violating that policy

Another one that thinks the solution is to fire employees, and gets modded insightful. You know what I get the impression that most slashdotters would make piss poor bosses. Firing employees randomly when they violate a policy to set an example isn't exactly smart.

Do you know what it costs to hire an employee, and get them up to speed doing their job well? Never mind the fact that the next person you hire to fill the roll might be a dud, or that the job market may mean the position goes unfilled for quite some time. Do you know what it does to morale? That gossip around the water cooler gets people updating resumes and looking for work elsewhere before they're fired for some other petty reason to set an example. Then there's the legal aspect - if you're wanting to avoid unfair dismissal claims providing clear guidelines is just one step - you have to show that the on the spot firing was justified. Then there's the human aspect - unless you're a soul-less piece of shit that cares not a jot about destroying a family's livelihood you may want to look for actions that don't leave people jobless.

Re:Easy

[myowntrueself]

Firing employees randomly when they violate a policy to set an example isn't exactly smart

I'm sorry but I'm having trouble making sense of your sentence.

How, exactly, is firing someone for violating a very clear, written and signed policy in the least bit 'random'?

Maybe you have a different idea of 'random' to the rest of us... just checking.

Re:Easy

[glitch23]

Pay your employees enough to make protecting your company's data on their computers/PDAs worthwhile.

You can only pay employees so much and it will probably never be able to match what organized crime would pay someone to steal the data. That's where background checks on all employees helps but still not guarantee that you can trust your employees.

12345

[lazycam]

The strength of your encryption means nothing in the face of a user who insists on using their birthday as a password or keep a post-it on their computer monitor. Unless you are able to force individuals to use strong or randomly generated passwords you are at a loss. In the end, human behavior will circumvent our best security.

Send letters

[chinakow]

From what I can see, most companies wait until the sensitive data is lost or stolen then they send every customer a letter telling them it is gone and offering to pay someone to keep an eye on their credit. Other than that, I think the policy must be, "ignorance is bliss." That is just my two cents.

We lock it via user-restricted accounts

[WillAffleckUW]

We use specific user names and strong passwords (not user selected) behind a strong firewall and web encryption.

But the reality is that anyone could stick the query results to file on a flash drive ...

Um

[Mateo_LeFou]

Isn't the point of GP that when you pay the proper amount, you can often count on -- gasp -- *competent people coming to work.

Re:Um

[magpie]

Since when have pay and competence had anything to do with each other?

Look in your average board room if you want evidence of the lack of a link.

Legitimate selects?

[MartinG]

What about employees who do legitimate selects from these databases and then load CSV files and other text files onto their laptops and PDAs?

What kind of employee? General users shouldn't be doing selects directly anyway, but should be using software that limits what they can query to the minimum information they need, preferably not in a general purpose form like csv. On the other hand the developers of that software need to do all and any kinds of selects for a whole range of reasons. They however, should not be let anywhere near the actual production databases.

This is how we do it anyway.

Re:Legitimate selects?

[Tablizer]

General users shouldn't be doing selects directly anyway, but should be using software that limits what they can query to the minimum information they need, preferably not in a general purpose form like csv. On the other hand the developers of that software need to do all and any kinds of selects for a whole range of reasons. They however, should not be let anywhere near the actual production databases.

Users always want to manipulate info on spreadsheets to adjust it to their needs or pretty it up. Thus, being able to export the data is almost a must at a typical corporation.

The alternative is to have a dedicated pool of re-formatting gurus who prepare the stuff for each user or department; but most companies don't want to do it this way because its difficult to reign in excess requests. Letting each group do their own filters out dumb or excessive requests because they have to allocate the reformatting labor from their own staff. Plus, a central pool can create bottlenecks and delays as low-priority requests are treated the same as high-priority ones (unless you implement a complex and costly tracking system).

It's possible to limit the amount of data per CSV or spreadsheet download or request, but if they really need it, then they'll do one slice at a time until they have all they need. For example, do one month at a time in order to collect a full year. Thus, limiting the download does not prevent misuse of the data, it only makes more work for those determined to get the data for whatever project they're working on.

"Proper" and thorough security is often not cheap. The cost of inflexible data has to be weighed against breach costs/risks. Managers and employees want flexible information systems to make better decisions. If you red-tape the process, it slows or prevents the flow of info, hurting the bottom line.
 

Re:Policies

[aztracker1]

Personally, I can't see *ANY* instance where a full set of SSNs for more than a handful of people should *EVER* be needed on a laptop... I mean, if you are entering data, sure... but WTF should anyone be carrying around some of the information that gets leaked.

I think *IF* such information is needed for lookups, then a 1-way hash is a necessity. If you aren't responsible for dispatching to customer locations on a weekend, then you shouldn't need street addresses. I can see needing some information for customers, but SSNs, or CC data should *NEVER* be on anything outside of the office, or a backup storage facility.

It's that simple. No SSNs leave the office... No CC information leaves the office... no street addresses leave the office, unless absolutely necessary.

I've seen smaller companies that have the entire database in the "on call" laptop, that gets copied from the server friday, and to the server monday.. I shudder every time I think about it...

I start by keeping as little of it as possible

[CFD339]

Any project I manage, and most I am influential all, I make it a point to constantly ask "Why are we collecting this? How long do we need to keep it? When can we delete this data?"

If you don't have it, you can't lose track of it and it can't be stolen from you.

If you have to store sensitive data -- and in some cases we all do -- you try to isolate the sensitive parts of it from the identifying parts of it. Use hashed values for keys instead of actual names or account numbers, that kind of thing.

There's the obvious of course -- data on laptops should be encrypted, and the key for that encryption shouldn't be taped to the inside of the battery door.

Pretty much a solved problem...

[rbunker]

This is pretty much a solved problem. * only grant execute access to stored procedures, no ad hoc or dynamic sql at all * encrypt sensitive information so that backup tapes do not become a vulnerability * don't store anything you don't actually need...there are credit card authorization firms that will give you a token to store, so you never store the credit card number at all, even for recurring payments * segment particularly sensitive data entirely...the HR database should be a different instance on a different server etc. * don't give IT folks access they don't actually need....this protects them from suspicion, too * if you have especially sensitive stuff, use a data access intelligence product like rippletech to intercept database calls and stop suspect ones * don't allow the data to float around in clear text before it hits the database....clear text credit cards in the apache logs obviate the benefit of strong encryption in the database, and if it moves over the network in the clear any employee that can download snort owns it * use different vlans for sensitive information, or for inter-application communications that might be particularly rich with valuable information * use strong authentication for access to sensitive servers...several layers worth for connecting from home etc. etc. etc. all the normal security stuff.

How about $10,000 per SSN?

[rueger]

It seems like most of these stories involve some boob carrying data away on a laptop or USB key then losing it or having it stolen. Sure you want to acknowledge and deal with boobishness, but you also really need to address why the boob found it necessary to carry data away from the workplace in the first place, and why management encouraged and/or endorsed that action.

If employees can complete work during a regular work day then there is no reason to take it home with them.

If management insists that data security matters, it is possible to set up systems so that it's not possible for employees to copy of chunks of data and remove them.

The solution likely is to nail these companies to the wall, and make it more expensive to let data out of the workplace that it is to hire more or better employees and develop secure internal systems to protect data.

As it stands now a company can usually get by with firing one employee and saying "Oh my God! We promise this will never ever happen again!"

For a start, how about a penalty of $10,000 for every SSN or credit card number released to the wild, no matter what the reason or excuse? Suddenly losing a laptop with 100,000 customer files will become a VERY big deal.