Networking

Personal data: Time to rethink our whole security approach?

Securing data simply by defending the network perimeter is no longer enough to satisfy the law. IT departments need to consider a different approach.

Attacks have shown that a perimeter-based strategy is not enough to meet the needs of most networks. Photo: Shutterstock

Protecting personal data is an emotive subject that's long been an issue for CIOs. It became an even bigger concern when UK data privacy watchdog the Information Commissioner's Office gained the power in 2010 to impose fines of up to £500,000 ($800,000) for breaching the Data Protection Act.

But breaches that affect commercially sensitive and secret information get less attention. That's surprising because such incidents can result in companies being sued for breach of contract and directors facing action for breaching their fiduciary duties.

UK data protection law is based on eight principles and requires companies to take "appropriate technical and organisational measures" to protect personal information.

Against that, the law of confidentiality, which applies to commercially sensitive or secret information, is a common law right based on precedent and has not been codified. Consequently, people tend not to understand it so well, although the principles are easily stated.

This approach to protecting confidential and personal information is logical. It allows the law to remain flexible and relevant despite rapid changes in the technology industry.

The result is that regulators and enforcers have to take a purposive approach, which may appear quite subjective, when they decide whether appropriate protection has been provided.

The trouble with this approach is that it is relatively easy to apply in retrospect but not so easy to use when drawing up requirements. Furthermore, rapid tech changes can make solutions that are satisfactory now seem totally inadequate in six months.

These factors create a further dilemma for CIOs, particularly when faced with increasing demands to make information mobile, allow for technology convergence and permit the use of personal devices and develop BYOD-friendly policies. They need to rethink the underlying approach to securing information.

Meeting regulatory requirements

It's clear that an approach to securing information that relies solely on defending the network perimeter will not now meet the regulatory requirements.

Hackers have succeeded with attacks even where strong network security is in place, such as in government networks. These attacks show that a perimeter-based strategy will not be sufficient to meet the needs of most networks.

So, we should be looking at the fundamental requirements of information assurance to deliver the confidentiality, integrity and availability of information, and where the information is communicated, to be able to verify the source.

Reversing the approach and concentrating on securing the information makes allowance for the possibility that the network may be compromised and focuses attention on the value and importance of the information itself.

The information owner is the person most likely to understand the harm that might be caused if the information is disclosed, deleted or corrupted. So the information owner should also be empowered to make a decision on the level of protection a piece of information requires while it is held by the business.

Like the law itself, protecting information as an asset allows for a more flexible approach to technological development.

Inside-out approach to data security

So an inside-out approach meets two key requirements of the regulatory environment. First, it allows the technical approach to remain relevant regardless of changes to the platform and applications used for the processing of that information.

That flexibility allows the IT department to meet demands for system and network improvements while reducing the risk that these changes will expose the company to accusations of failing to take adequate steps to protect information.

Secondly, employees will require education on the allocation of appropriate levels of security to the information assets. This training will go part of the way to meeting the organisational requirements of the data protection legislation.

In doing so, we may have to accept that the default position will be to overprotect information. But in the context of the heavy fines and the reputational damage that occurs in the event of a breach, that overprotection should be seen as the preferred option.

Of course, companies could remove the decision from employees and take the approach of enforcing the highest level of security to all information assets in all circumstances. But that measure may overburden the system and can have a wider impact on the business.

Securing information does not remove the need for perimeter defences, but it should form the key part of a comprehensive security strategy.

Encrypting information and using digital certificates meet the security needs of all stakeholders while the data is at rest and in transit. When the information is being processed it is much harder for an unauthorised person to access, alter or publish it, and this is also the area where intrusion-detection and prevention systems are more capable of providing adequate protection.

About

Stewart James is a partner in the technology, media and commercial group at law firm DLA Piper's Leeds, UK, office. His areas of expertise include outsourcing and retendering, business process re-engineering, information assurance, data protection, a...

5 comments
l_e_cox
l_e_cox like.author.displayName 1 Like

The most obvious approach to improving the security of private data is to store less of it in public places. This truism does not seem to get much attention, yet it is an obvious concept and I think worth considering more seriously. Does info that a person or company doesn't feel comfortable sharing really have to be shared? Would it bring the economy to its knees, for instance, if a business interacted with me on the internet without ever knowing my name? I interact with brick-and-mortar businesses without them demanding to know my full particulars every time I enter and exit their premises. So, do web-based businesses REALLY need all the data they collect on customers, or is it just more convenient for them? It might help to look at this problem with the attitude (regardless of how completely accurate it is) that the WWW was designed to collect personal data on individuals for purposes best known to the corporate interests that have supported its growth. That was NOT the purpose of the internet before the dot com boom. So, was that change progress, or was it a hostile takeover?

boucaria
boucaria like.author.displayName 1 Like

I have grave concerns for the security of data in the so-called cloud as well as in phones and other stored services. I will not cover the reasons why, but it goes back to my Dad's tendency as a Lawyer/Barrister to be skeptical of almost everything. Anyway, in my circle I seem to be one of the few who read TOS and EULA fine print, so when IT Business Edge publish this on about April 24th this year: ???When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content." It kind of piques my interest to say the least since my first question is "how wide spread is this clause in the cloud and other private, semi-private, and quasi-private storage areas?" As they say, just because you are paranoid does not mean they are not out to get you. My personal opinion is to over-protect personal data, especially when banks, Motor vehicle registries et al, sell your info on to third parties ( amongst many other groups)

Stewart-James
Stewart-James

Michael I'm travelling at the moment and do not have any materials with me to identify the source per se. The point that I was considering was the greater ease of identification of unauthorised third party access while the information is being processed, in particular when that processing involves a person manipulating the information. Stewart

Michael Kassner
Michael Kassner

You mention: "When the information is being processed it is much harder for an unauthorised person to access." This is contrary to what systems and network experts are saying. What is your source?