Keep up with the issues and challenges that uniquely affect public-sector IT with TechRepublic’s free Government IT newsletter, delivered each Tuesday. Automatically sign up today!
In the last couple of months, we have seen the reporting of
1.4 million credit card numbers stolen from DSW Shoe Warehouse,
personal information from 98,000 past and current students stolen from UC-Berkeley, 185,000
patient records at risk due to a burglary in a San Jose, CA medical
office, and theft of large amounts of personal data from LexisNexis
Point. As a result, the media is warning consumers to be extra vigilant concerning their personal
information. But how about the warning to keepers
of the data to be extra vigilant? The above incidents should have caused
you to pause and take note of the data security in your organization. If not, when
they put your photo next to the news story about the lost data from your
government organization, try not to look so shocked.
For some weird reason, the public will cut private
institutions some slack when it comes to such mistakes, but someone’s head will
roll should a similar error be made by a governmental institution. In either
case, this type of blunder is inexcusable. We have been warned numerous times,
and we have the technology to deter, if not to stop completely, the theft of
If you don’t think you have data worth stealing just because
your organization doesn’t collect credit card information, think again.
Government agencies are a literal treasure trove of data: medical records and
HIV status (health departments and EMS), social security numbers, sensitive
legal information (police, courts, and others), and so on. Even if the
information you collect is of public record, the new regulatory environment has
raised the stakes on safeguarding particular types of personal data.
One of the most interesting things from all the stories above
is the ways the data loss occurred: lost hard drives, stolen PCs, faked
credentials, and fraudulent identities. There were no super-secret stealthy
hackers making their way past multiple firewalls in the middle of the night—these
data were obtained the old fashioned way—through plain old theft and con artistry.
So what is the common thread? Unencrypted sensitive data.
Prepare to have your data stolen
I think there has been a feeling in the IT community that we
must place our security emphasis only on the network defenses. We have been
building impregnable fortresses against those who would come in from the
outside to wreak havoc with our systems, trusting that if we do that,
everything will be okay.
While we do need to protect our perimeter, we should be preparing
to have our data stolen. In my opinion, it’s inevitable. If someone wants your
data bad enough, it can be captured. Whether it is through hacking, the physical
stealing of equipment, or the inside job of an employee—data is vulnerable.
So, what can we do? Prepare to have your data stolen by using
data encryption at the database level. Even if someone manages to steal it, it
will be difficult, if not nearly impossible, to make any use of the data.
Of course, it’s not that simple, or we’d already be doing it. Here
are the issues with data encryption that complicate its use:
- It can be slow and very system intensive because all
encrypted data must be decrypted to be read, updated, or deleted.
- It may not have been available on your chosen database
- Even if it is available, it isn’t necessarily easy to
use; it has implications for your database design, such as encrypted keys
that being unusable in indexes.
- By itself, it is not a panacea. You must still
provide good access controls to help ensure your data security.
In short, encryption is pretty much ignored by much of the
database development community because data encryption is a pain.
But the time has come for us to deal with this pain. As I
alluded to in the opening of this article, it is not the job of the consumer to
be extra vigilant regarding their data. It is our job. This starts with us, the keepers of the data, examining
the risks of data theft and incorporating what we learn into the design of the
databases we are responsible for. In addition, we should:
- Investigate the access controls to make sure that
only authorized users have permissions to access the data.
- Utilize strong user authentication routines.
- Implement appropriate auditing to determine who has
been “in the data.”
We need to bite the bullet and start utilizing data encryption
in our new development, if not in our existing systems. I realize this is a big
deal, which is why I say we start with new development rather than trying to
retrofit encryption onto an old system. The best place to start is with the
vendor of your most-used database systems: Oracle,
Then, take a look at what is available from the gamut of third-party providers
and other security experts on
the Internet. Wherever you start, start today—you don’t want to end up as