Lipstick on a pig?

With the ever-increasing amounts of data now being handled, particularly by today’s police service, too many organisations think that by simply putting a few basic security procedures and structures in place, they can relax and forget about their IT security argues Calum Macleod.

As someone who became totally engrossed in the US elections, Barack Obama’s comment about “lipstick on a pig” resonated because in my opinion it just about sums up the approach to IT security in most enterprises today. You have SOX, PCI, Basel, ISO or whatever other policy you can think of and as long as you carry on doing things in the same old way you might as well put “lipstick on a pig”.

Over the past year, after countless incidents of sensitive data loss or misplacement, and small fortunes being spent on investigating the how and the why, incidents continue, and in my opinion this is primarily due to the failure to implement the necessary technologies to ensure the policies are enforced.

It is, therefore, absolutely essential that adequate controls are put in place to ensure that highly-sensitive data is protected from abuse. There are best practice solutions, as well as commercial solutions, that can guarantee no matter how resourceful or determined someone may be, the risk can be minimised and the opportunity to abuse sensitive data can be technically eliminated. The following list can serve as a useful guideline for accomplishing this.

Secure repository

By creating a secure repository, sensitive data can be stored in a manner that provides the data owner, whether that is an individual or an application, and the organisation, complete control over who has access. It can immediately eliminate the risk of unauthorised users gaining access from inside or outside the network. This also ensures that IT staff are no longer able to access the data even although they may be responsible for managing the system that stores the data.

Commonsense encryption

Effective but manageable encryption methods that do not require IT involvement intervention removes the risk of keys being exposed to systems staff. Relying on encryption methods that are complex to use and manage only increases the vulnerability.

Secure backup

Backing up sensitive and critical data is crucial, but it can be abused. Every precaution should be taken when selecting backup/restore solutions that they are able to backup the data in its encrypted format. Too often data is backed up in unencrypted format and is then open to abuse and theft.

Segregation of duties

There must be segregation between IT staff and data owners. Additionally, there should be hierarchies within data ownership, such as dual-control which can enforce checks and balances to ensure that highly-sensitive data cannot be accessed unless authorisation has been given. If possible, the access to, and responsibility for, data should be devolved to the relevant departments, minimising the number of prying eyes. For example, there is no reason why anyone outside of HR should have access to HR data.

Proactive alerting

By having automatic reporting of user activity, any time anyone who is authorised accesses a sensitive file, the management should be able to have an immediate report of this activity. By having this at departmental level it ensures that management can identify potential inappropriate behaviour at an early stage since it is aware of the sensitive data under its control, and can thus identify misuse at an early stage.

Ultimately it is impossible to eliminate the abuse of sensitive data by people who are determined to misuse their position, but at the very least every organisation can easily – and relatively cheaply – implement technology to ensure that their procedures is not just “an old fish in a piece of paper”.

• Calum Macleod is the Western European director at Cyber