WHO’S READING YOUR DATA WHILE YOU READ THIS?

By Colin Tankard, Managing Director, Digital Pathways Limited

Security of data has been an issue for as long as … well, as long as there has been data. As that data is stored in more and more sophisticated ways, so the security systems need to run to keep up. It’s not just the MoD that needs to know who’s reading their files; there can’t be a single commercial concern that doesn’t need to shield confidential material from prying eyes.

The nub of the problem revolves around the ability to very accurately control access to data. Knowledge is power, as they say, and accidentally giving knowledge to the wrong people can be highly debilitating.

It’s not just protecting data from external threats though; protective software needs to be simultaneously inward-facing. Companies need to be absolutely sure that staff cannot gain access to confidential data such as salaries and HR files – or, as importantly, the data of the firm’s clients or customers.

It might be a question of straight forward commercial confidentiality, or it may be that companies have a legal obligation for compliance with the Data Protection Act, or the PCI standard; or it may well be that the company has outsourced its digital support, and they want that sub-contractor to manage their infrastructure but not have access to their data.

When it comes to protecting data, information, files – call it what you will - there are three fundamental elements which need to be understood and addressed.

Firstly you need to know who or what is accessing the information being disseminated from your own network; what is required is a comprehensive audit of who is logged on and where, and what data they have access to. That might sound obvious but it’s a crucial first step; if a big network is getting a large number of logs then the log data needs to be carefully analysed, and then be presented in a manageable format. There is often a gap in the ability to link the log data to any undesirable event. That ‘event’ might be a chain of occurrences which would trigger concern, such as a number of log-ons from the same IP address, using different passwords with each log-on.

It is the view of Colin Tankard – Managing Director of Digital Pathways, that the biggest challenge is for companies to log the data that is flying around in their networks. Once that has been managed they can then move on to put the necessary protocols in place.

The second step is to identify what data needs to be protected. Digital Pathway’s clients include international law firms handling highly sensitive information, car manufacturers who have an absolute imperative to protect new designs, and financial houses who need an impenetrable stockade around their own clients’ acquisitions and disposals.

The third step, obviously, is then to protect the data which has been identified as sensitive. Simple solutions such as encryption are just not good enough; encryption only protects you against physical theft. What needs to be controlled is access, and application to the data. A good start is to tighten access by software and user, so that employee A running Word can see those files, but employee A running SAP, or employee B running Word has no access to that data’.

These security systems need to be both active and reactive; protecting against breaches in security cover, every hour of every day, and responding to specific threats or attack. The access to data needs to be monitored constantly, and be presented in a managed and coherent fashion. There might be a large and highly technical report for the IT Manager, and a much more succinct précis for the Managing Director. This level of reporting will often be required by an external auditor (if, the firm in question needs to show compliance to, say, the Financial Services Authority), or for a third-party client who requires reassurance that his data is secure. Having that in place as a part of the security solution saves both time and money.

At the end of the day there is a balance to be reached. For some organisations having their staff operating with user names and passwords isn’t enough, and you start to move into very high levels of security, such as biometrics. For most applications though it’s more about an understanding of the problems, and any potential disasters. A lot of Digital Pathway’s clients start off thinking that they know who has access to their data - before we ruin their day by showing them otherwise!

Digital Pathways Limited is exhibiting at Infosecurity Europe 2009, the No. 1 industry event in Europe held on 28th – 30th April in its new venue Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk

Courtesy: Infosecurity PR
<>