“Keep your eye on the ball” is a common admonition that, because of its broad application, spread far beyond the playing field. With a slight change, it applies equally well to protecting information assets—keep your eye on the data.
I find it a continuous struggle to help my peers in IT understand the importance of making data the primary object of security. Too often, attention quickly shifts to applications, operating systems, firewalls, etc. without a thorough understanding of how data moves and is stored within the network. It is only after the characteristics of an organization’s sensitive data are identified and documented that the final work of securing them can actually begin.
In a ComputerWorld article, Jaikumar Vijayan lists five ways to mitigate risk associated with protecting company data (“Lessons from the DuPont breach: Five ways to stop the leaks”, 28 Feb 2007). I listed the risk mitigation methods below along with my take on each.
- Get a handle on the data – The first step is to understand where all the data reside. Possible locations include database servers, disk arrays, local workstations, and mobile storage devices. Knowing where the data are helps in building a strategy for protection of data at rest.
Once the data are located, they should be classified. Data classification helps direct security control efforts to the most sensitive and critical information first. I use a simple method using three classification levels: restricted, confidential, and public.
The release of restricted information could cause substantial harm to the company, its employees, its customers, or its investors. The use of VLANs, IDS/IDP systems, access logging, and other proactive security activities are usually not optional to secure this data. Examples of restricted information include electronic PHI, intellectual property, and PII.
Confidential data is less sensitive than restricted information, but its release could still cause harm to the company, its employees, its customers, or its investors. Although security controls are still required to protect this information, reasonableness should guide effort.
Public information includes anything that doesn’t fall into the other two classes. Examples include press releases and the annual reports of public companies.
- Monitor content in motion – If information sat quietly behind the protective barriers we construct, our jobs would be much easier. However, our users need the data to keep the company operational. So we must identify all paths information takes between storage, our users, and external entities. In addition to delivering information to user workstations, paths might include interfaces between applications, customer remote access over the Internet, and the exchange of large amounts of data with vendor and customer organizations.
It’s a good idea to perform threat modeling on data in motion. An example of a threat modeling process can be found in “A Practical Approach to Threat Modeling.” A threat model of an interface, for example, helps identify potential vulnerabilities and how threats might exploit them. Armed with this information, it’s much easier to design the proper security controls.
- Keep an eye on databases – Access to data should be through applications only. One exception to this rule is the direct database access required by database administrators (DBA’s). Even then, DBA access should be logged to a location to which only the security team has access.
Communication between the application and the database should be accomplished with the use of a single network account. The account should be used only for that purpose and have a strong password known only to a very small number of network support or security personnel.
- Limit user privileges – The principle of least privilege applies to all data that aren’t classified as public. Users should be given access only to the data absolutely necessary to do their jobs. Network and application access controls should be governed by policy, standards and guidelines with regular audits for compliance.
- Cover those endpoints – Today’s workplace is the scene of a plethora of devices that should make every security manager nervous. These devices include PDA’s, MP3 players, thumb drives, USB hard drives, and smartphones. Each of these devices is capable of storing large amounts of company information. There are essentially two challenges associated with their use: what data is copied to them and how that data, once copied, is secured.
Steps an organization might take to controlling how information is copied to, and protected on, portable storage devices may include one or more of the following:
- Completely disable USB and Firewire ports
- Encrypt sensitive data on portable/removable media
- Deploy a solution that provides granular control of USB and Firewire ports
- Implement content monitoring that alerts when sensitive information is copied or moved
- Ensure anti-malware and firewall technologies are installed on PDA’s and smartphones that connect to the company network
- Enforce centrally managed policies that include password protection of handheld devices
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.