Breaches of government databases are common, both here and around the world. As elected officials and non-elected employees struggle with how to arise above typical bureaucratic, governmental information security ineffectiveness, they continue to plan for and establish large, centralized databases containing our information.
Now, however, some are asking whether collecting distributed information into central repositories is a good idea. Wouldn't it be better to spread sensitive information around so it would be harder to access, unavailable to a single breach? The following is one example:
[Richard Thomas, Information Commissioner, Information Commissioner's Office, UK, speaking at RSA Europe 2008] expressed concerns about the government's recent move to roll out large centralized databases, such as the communications database.
"The more databases that are set up and the more information exchanged from one place to another, the greater the risk of things going wrong. The more you centralize data collection, the greater the risk of multiple records going missing or wrong decisions about real people being made," he said.Source: Privacy watchdog slams databases, year of data loss, Siobhan Chapman, Computerworld UK, 30 October 2008.
Ok. Spreading sensitive information across multiple databases on disparate network infrastructures would make it harder for an attacker. He or she would have to go after two or more weak databases instead just one in order to get the information needed. That's not really a problem if the return on effort is high enough. (This assumes, of course, data in transit or remotely accessed are secure—a big assumption.) And there are other problems with the distributed model.
The distributed information model doesn't address data security fundamentals, fundamentals that must be applied whether the information is centralized, spread across local databases, or placed in geographically dispersed repositories. These basic controls include,
- Storing only information essential for the database's stated purpose and only for as long as is absolutely necessary
- Enforcement of access control principles
- Least privilege
- Segregation of duties
- Implementation of network and server controls, including encryption and network segmentation, based on data classification and exploitability
- Extrusion detection
Spreading the data across multiple locations to increase an attacker's work factor makes no sense if the basics of database security are ignored.
Centralized databases are not inherently bad. Governments have collected information about their citizens since humans gathered into communities. Granted, it's possible to collect much more information today, and that information is more accessible than before. Yet, I still prefer the U.S. government keep my personal data in one place, protected by controls which are actually effective and managed by a single team held responsible for doing what is reasonable and appropriate—and empowered to do so, unhindered by bureaucratic delays and political posturing.
But let's face it; the problem with relying on government to protect our information goes much deeper than database design. Until we hold our elected and appointed officials accountable when data is lost or stolen because of weak or absent physical, administrative or technical controls (i.e., fire them when they're negligent), it doesn't make any difference whether information is centralized or distributed. Wherever it is, risk of compromise is unacceptably high. Can anyone say, "Stolen, unencrypted laptop?"
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.