Slashdot Mirror
How Do You Deal With Sensitive Data?
imus writes "Just wondering how most IT shops secure sensitive data (customer records). Most centrally managed databases seem to be monitored and maintained very well and IT workers know when they are tampered with or when unauthorized access occurs. But what about employees who do legitimate selects from these databases and then load CSV files and other text files onto their laptops and PDAs? How are companies dealing with situations where the database is relatively secure, but end-use devices contain bits and pieces of sensitive business data, and sometimes whole segments? Does anyone use sensitive data discovery software such as Find_SSNs or Senf or other tools? Once found, how do you deal with it? Do you force encryption, delete it or prevent extracts?"
I try not to talk loudly around it, and make sure it's emotional needs are met.
Pay your employees enough to make protecting your company's data on their computers/PDAs worthwhile.
At a technical level, every laptop/portable data storage device should have its hard drive encrypted. Disable USB ports if you can get away with it, or at least put software on which forces encryption of files sent to USB keys. That will cover most of your issues.
Users will legitimately require access to sensitive data as part of their job; the IT department should have the power to ensure they don't do it in a way that exposes the company to the embarassment of losing a laptop with SSNs in the subway...
we use a robots.txt file and a strongly worded "keep out - private data" header on all important records
.. The UK Government. 600 lost laptops over the last ten years! Including two from the MOD with very sensitive data on them. And that's just electronic data. Despite the public being told how important shredding documents is, some commercial enterprises seem to be just chucking sensitive data out in the bin, unshredded.
Once found, how do you deal with it? Do you force encryption, delete it or prevent extracts?
First off you need to have a policy on who is allowed to extract it, and how they should handle the data (be it encryption, keeping the data on-site, etc).
But here's the trick: If you find data kept in violation of the policy, you send EVERYONE to training. I'm talking mandatory training where they lose computer access (and thus, don't get paid) until they do the training. All new hires have to do it, too. Make it really boring, and administered after normal work hours.
After the first time everyone is sent to training for some poor schmuck being careless, I guarantee nobody will ever violate policy again.
We use forced whole disk encryption on all laptops. Additionally, you can look at data loss solutions like you've suggested but I'd recommend something a bit more holistic, like Cisco's Security Agent, which provides a centrally managed firewall, IPS, anti-virus and data loss protection function all from a single installed agent.
The strength of your encryption means nothing in the face of a user who insists on using their birthday as a password or keep a post-it on their computer monitor. Unless you are able to force individuals to use strong or randomly generated passwords you are at a loss. In the end, human behavior will circumvent our best security.
my mom posts on slashdot.
From what I can see, most companies wait until the sensitive data is lost or stolen then they send every customer a letter telling them it is gone and offering to pay someone to keep an eye on their credit. Other than that, I think the policy must be, "ignorance is bliss." That is just my two cents.
I name all of my sensitive files, databases, tables, and fields with names that nobody would want to touch, such as "Smashing Pumpkins Discography DB", "tblPeeWeeHerman", "Oprah.txt", ect.
And for storage, I burn them all to DVD and put them inside empty "Aerosmith" jewel cases. Keeps them nice and safe from prying eyes.
We use specific user names and strong passwords (not user selected) behind a strong firewall and web encryption.
But the reality is that anyone could stick the query results to file on a flash drive ...
-- Tigger warning: This post may contain tiggers! --
Ask yourself why the employees need the SSN access in the first place!
Tell your DBA to create a view which replaces the SSN with some other random number for every possible person with DB access. That way, folks doing data mining or data quality will be happy.
If your devs need SSN access to develop your application, ask them why the hell they need to work on the production DB!
There's eventually going to be folks who need access to the real data. Hire a large football player, dress him in a suit, and have a "come to jesus" moment with any employee to make sure they understand how serious this is.
Isn't the point of GP that when you pay the proper amount, you can often count on -- gasp -- *competent people coming to work.
My turnips listen for the soft cry of your love
What about employees who do legitimate selects from these databases and then load CSV files and other text files onto their laptops and PDAs?
What kind of employee? General users shouldn't be doing selects directly anyway, but should be using software that limits what they can query to the minimum information they need, preferably not in a general purpose form like csv. On the other hand the developers of that software need to do all and any kinds of selects for a whole range of reasons. They however, should not be let anywhere near the actual production databases.
This is how we do it anyway.
-- MartinG To mail me: echo kewyjlcxyzvjfxbqwh | tr bcefhjklqvwxyz
Don't let PHB's run the show and don't buy based on golf course meetings.
I can't imagine a need for an employee to have any bit of our client's data on their PDA. There's really no excuse for that at all.
As for laptops, sure, we issue our employees laptops, with which they are able to work from home via VPN. There are occasions where the employee will have to save and modify excel spreadsheets, or CSV files, as you mentioned.
Ideally, whole drive encryption would be utilized, but it's not (yet) in our case. I've been behind the times implementing that.
Check out my sysadmin blog!
Well, in our environment, (an insurance company), the system will allow those authorized to copy data onto their notebooks, but what happens is that what actually gets written or copied are not the actual data. From what I know it goes something like this:
Say the actual Name is John Doe and SSN is 123-456-789 and DoB is 1976-12-08, what gets copied is something like Name: XvfC Gzd, SSN: 908-954-213, DoB: 2788-98-98.
So you work with the dummy data instead of the actual thing. Once done with whatever you wanted to do, the data get processed to reflect the needed changes before being written to disk.
Even after getting written, committing only happens after rigorous checks.
Any project I manage, and most I am influential all, I make it a point to constantly ask "Why are we collecting this? How long do we need to keep it? When can we delete this data?"
If you don't have it, you can't lose track of it and it can't be stolen from you.
If you have to store sensitive data -- and in some cases we all do -- you try to isolate the sensitive parts of it from the identifying parts of it. Use hashed values for keys instead of actual names or account numbers, that kind of thing.
There's the obvious of course -- data on laptops should be encrypted, and the key for that encryption shouldn't be taped to the inside of the battery door.
The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln
This is pretty much a solved problem. * only grant execute access to stored procedures, no ad hoc or dynamic sql at all * encrypt sensitive information so that backup tapes do not become a vulnerability * don't store anything you don't actually need...there are credit card authorization firms that will give you a token to store, so you never store the credit card number at all, even for recurring payments * segment particularly sensitive data entirely...the HR database should be a different instance on a different server etc. * don't give IT folks access they don't actually need....this protects them from suspicion, too * if you have especially sensitive stuff, use a data access intelligence product like rippletech to intercept database calls and stop suspect ones * don't allow the data to float around in clear text before it hits the database....clear text credit cards in the apache logs obviate the benefit of strong encryption in the database, and if it moves over the network in the clear any employee that can download snort owns it * use different vlans for sensitive information, or for inter-application communications that might be particularly rich with valuable information * use strong authentication for access to sensitive servers...several layers worth for connecting from home etc. etc. etc. all the normal security stuff.
And you might have gotten away with it too, if it weren't for those pesky kids... from marketing and sales.
Honestly, I don't know about government, but it most other places it seems to invariably be some sales or marketing guy who's lost a hard drive full of SSN's and contract data and whatnot. I guess it's simply a tale of greed. The prospect of selling an extra copy/insurance/account/contract is tempting enough to override all other concerns. So when you try saying that Mr Marketing GOD can't take all that data with him, guess who wins? Remember also that he's the guy who knows how to sell stuff to people, including his side of the story, while you're probably the security nerd that doesn't even speak management.
To go on a roundabout tangent towards how _I_ would fix it: the funny thing is that the market can work in funny ways too. In a "bad money drives good money off the market" way. It applies to more than that. E.g.,
- if some people can get away with tax evasion or corruption, they undercut and drive off the market the honest merchants. (See most of the ex-Communist Bloc.)
- if some people can get away with monopolistic behaviour, they drive off the market those who don't. (See MS.)
- and if some people can make a few extra bucks or save some costs by wiping their ass with your privacy, they gain an avantage over those who don't, and may eventually even drive them off the market one way or another.
Etc.
The thing is, the free market is just an optimization algorithm. It takes a given set of constraints, and eventually moves the economy towards a more optimal state. Optimal for those constraints. But like any optimization algorithm, you must make sure you set the constraints you need, or the solution may be something else than you expected. Bad behaviours can (and usually are) more "optimal" than good behaviours, if left unregulated. And eventually those who weren't destructive, either get the clue when the others are eating their lunch, or get to get bankrupt/bought/whatever.
So basically what I'm saying is that nothing will really get fixed as long as there _is_ an economic advantage in ignoring privacy and security, and just giving the salesmen anything they want. The only way to fix it is if there was some kind of a negative feedback in the loop. When they'll stand to lose more money by losing your data, than anything they could gain by mis-using it, _then_ they'll start taking it seriously. Until then, nope.
And it's not just a matter of personal principles and doing the right thing, regardless of what everyone else is doing. You're not isolated from the rest of the economy. If anyone wanted to be the "good" guy there, will find that the "bad" guys have an advantage over him. If he doesn't care, maybe his boss does, or maybe the shareholders just get rid of those shares and reward the bad guys instead.
A polar bear is a cartesian bear after a coordinate transform.
is that this is not an IT issue. IT can help implement the solution, but someone at the "C" level has to consider this serious enough to create and enforce policies. We kill ourselves politically by even bringing up these sorts of issues (controlling what Sales, etc., can do with information), and that just makes the problem worse. We also make our lives miserable when the PHB's afflict us for our presumption. The best thing for you to do is implement sound security within the limits of your position, and then let it go. Unless you are the CIO, there is nothing you can do about this. Looking back from the tail end of a career, I should have joined an OSS project or found something else worthwhile for personal satisfaction.
The main problem usually happens at the top - or the legal department.
I worked at a place with a clear and documented policy against transmitting sensitive information over insecure networks - including the old text pagers from RIM (prior to the GSM blackberry). It was routine for me to receive sensitive/proprietary information on my pager from legal counsel. When I pointed out their failure to secure that data, they simply said I was paranoid - not that I'd misinterpreted the policy. They were too busy to worry about that. I documented every instance and handed 1 copy to the CIO, another to the secretary of the Chief Counsel and the final with the CEO's secretary since I couldn't get in to see either of them. I did this on my last day working there - left for a better job.
Turns out the new job wasn't any better with important data - they wanted me to recover data from a desktop where they escorted the contractor out of the building. I don't know why. Seems he didn't really use the machine and remoted into his home server and a colo server for almost everything. The contract didn't ensure he placed all the code into the corporate SCS weekly or that he would document it or write manuals. 6 months of hourly cash paid and basically nothing to show for it. I did find a password protected ZIP file full of stuff - took 3 days to brute force it, but it was over 3 weeks old and the code didn't run.
The company didn't even have a $20 background check performed before giving him access to the network. I would have liked a clean drug test too.
Also, being tight at the start of a company is easier than after the barn doors are already open. Most of us start ups don't have the willpower to do this - or the technical expertise.
It seems like most of these stories involve some boob carrying data away on a laptop or USB key then losing it or having it stolen. Sure you want to acknowledge and deal with boobishness, but you also really need to address why the boob found it necessary to carry data away from the workplace in the first place, and why management encouraged and/or endorsed that action.
If employees can complete work during a regular work day then there is no reason to take it home with them.
If management insists that data security matters, it is possible to set up systems so that it's not possible for employees to copy of chunks of data and remove them.
The solution likely is to nail these companies to the wall, and make it more expensive to let data out of the workplace that it is to hire more or better employees and develop secure internal systems to protect data.
As it stands now a company can usually get by with firing one employee and saying "Oh my God! We promise this will never ever happen again!"
For a start, how about a penalty of $10,000 for every SSN or credit card number released to the wild, no matter what the reason or excuse? Suddenly losing a laptop with 100,000 customer files will become a VERY big deal.
Three Squirrels
The trick is to make the tool and not tell them about it.
Even better, develop a form that you make everyone fill out when requesting data which is really just the arguments for your script. I had a coworker who was constantly praised on his responsiveness to requests because his mail->sql->excel->mail script always responded in (int(rand()*10)+5) minutes.
Well, until he forgot to turn it off when he had the flu and somebody noticed "he" kept working. He literally replaced himself with a (not so) small shell script.
I work as a contractor for a number of companies and need to take sensitive data home (like their customer contracts, proposals, etc.) on my laptop.
To make sure I do my best to keep their data away from others (especially since I travel a lot), I encrypt twice. First I encrypt the hard drive (before booting the OS) and then I encrypt the individual customer's files in separate "containers".
Truecrypt has a nice feature for its encryption of containers (I use files with uninformative names like turbo.dat, haiku.wav, just for the fun of it) that it will automatically unmount the containers when the computer is put into sleep mode or hibernation, which means that no customer data is accessible when I am travelling.
And regarding common sense: I do not keep any unecessary data on my laptop. I do not copy unneeded data to it and I remove all unneeded data immediately. I keep the different customer's data in separate cointainers and do not open different customer's containers at the same time to reduce the exposure, should somebody steal the laptop from my hands. I keep it locked to a big object whenever I work at a fixed place for some time and always before I leave it out of sight. I lock the screen every time I leave it.
And guess what? It doesn't take too much time either.
We're very picky in the first place about who we allow to access customer data. We have a separate deployment team and production support team who are authorized to see the customer data. The QA team can get copies of customer data to cover certain test cases. This data can be partially scrubbed. The development team only gets thoroughly scrubbed or generated data. We handle data on a need-to-know basis, basically.
But your question is more geared at legitimate data on laptops. Well, our corporate policy is that all laptops have hard-drive level encryption, no exceptions. If you lose that laptop, you have to report it to our incident team. Your laptop has to be secured at all times in the office, and if you lose track of it at any time in, say, an airport, thats an incident that needs to be reported. You can't let other people use or borrow your laptop if you have sensitive data on it.
Thumb drives are forbidden unless they are an officially sanctioned encrypted thumb drive. Those thumb drives cannot be used with non-corporate machines. If you violate these rules you can be penalized anywhere from sanctions to termination.
Additionally, our internet is proxied, firewalled, and heavily monitored. Doing tricks with tunneling to get around the web censor software or firewall rules can get you pink slipped.
Obviously this is a high level overview. The best thing to do is try to give that data to as few people as possible and make them accountable. If someone has access to that data they can leak it, despite any technological measures you take. The best course of action is to make sure as few people have the data as possible, that they understand how to protect it properly, and that they are properly punished if they don't practice due-diligence in protecting the data.