Archive for the ‘Compliance Mandates’ Category
Let’s look at best practices for integrating BitLocker into your security solution, and how to do so as you plan your migration to Windows 7.
A lot of organizations have either started or are starting to migrate to Windows 7. With that comes BitLocker – and I’ll take a look here at some of the strengths of BitLocker – and some of the areas to be aware of. I’d like to give you some tips and tricks as well, and some of the things that you ought to bear in mind as you plan for your BitLocker rollout, and as you plan for management of BitLocker within your broader security environment.
WINDOWS 7 MIGRATION
As I look at Windows 7 migrations and what’s happening in the market, in general, most organizations seem to be on about a 4 to 6 year cycle for refreshing hardware. That means there’s a lot of Windows hardware still out there that’s running XP or Vista – it’s older hardware and maybe time to go ahead and refresh those PC’s and look into new desktops and laptops. Of course, there are significant cost and security benefits to adopting Windows 7 – and I’ve seen some reports indicating that right now, about 60 percent of organizations have already begun to deploy Windows 7, though of course it may not be full deployment as yet.
MIGRATING TO WINDOWS 7/SOME KEY FEATURES
As I look specifically at the security elements of Windows 7, it certainly brings with it a lot of enhancements over what we had previously with XP or with Vista. User account control will help you defend your PCs against hackers and malicious software by basically allowing you to set everybody up with standard user privileges, rather than local administrator privileges. If you’re going to go down that road it certainly is the recommendation of Gartner that you do so – but – for various reasons, a lot of organizations continue to give employees local administrator rights rather than having standard user permissions!
There are other pretty important systems in play as well. One are to take advantage of is group policy, to get some centralized management and configuration based on active directory. AppLocker, for instance, is a pretty neat little tool that basically allows you to specify which software is allowed to run by managing it through group policies. There are a number of other key security enhancements that are available, but as I think about BitLocker in particular, a couple of things come to mind.
The first one is that BitLocker is not available with the Professional version of Windows 7 – In fact, BitLocker is only available with either the Enterprise version, or with the Ultimate version. This is an important distinction – and, of course, the Enterprise & Ultimate versions of Windows 7 require that you have the appropriate licensing … Volume licensing for Enterprise – or with the Ultimate version, it’s either retail or OEM licensing, which may not be appropriate for an organisation-wide deployment.
WHAT IS BITLOCKER?
Let’s take a deeper dive into BitLocker and what it really is. As mentioned, it’s intended for Ultimate and Enterprise editions only, for Windows 7 and for Windows Vista, and it can run on Windows Server 2008. The Windows BitLocker drive encryption does support both 128 bit and 256 bit encryption keys. Certainly the longer encryption keys increase security. But they also, as Microsoft will tell you, can cause slower encryption and decryption of data. BitLocker has a diffuser algorithm that is intended to help protect the system, so by default with Windows 7 the encryption is AES 128. That may or may not be appropriate, but it is possible for you to go back and change that to 256 bit should you choose to. That’s just one of the things to bear in mind as you begin to look at BitLocker.
What are some of BitLocker’s strengths? Certainly it is a strong encryption solution – a volume based solution that will work well encrypting data on fixed drives. For instance, a lot of users out there have desktops and BitLocker might be a very good solution – though you may want to think twice about the BitLocker-to-go removable media option for those systems (more later).
The Windows 7 implementation has certainly improved over the Windows Vista version, and it does leverage the newer technologies such as the AES processor and the Trusted Platform Module (TPM). However, that actually requires that you have TPM version 1.2. As you move toward a Windows 7 rollout and installing new machines, the likelihood is that you’ll be in great shape! Pretty much all of the new laptops and desktops out there come with TPM 1.2 … but you may not be quite as well positioned to roll BitLocker out to older systems already in your environment, as part of your Windows 7 upgrade.
Let’s move on from BitLocker’s strengths to some of the areas to be aware of.
When it comes to how users authenticate, there are a few different options. You’ve got the TPM, you’ve got a PIN or enhanced PIN, and you’ve got USB device as options. The recommendation from Microsoft and from us as well, would be to use multifactor authentication because it does increase the drive security. You can use these sort of authentication methods in any number of combinations. You can use TPM with a PIN / You can use the TPM and a stored key kept on a USB flash drive / You can use a starter key and the PIN and the TPM … You’ve got lots of options there. (Note – If you do decide to use enhanced PIN it does require that the Bios version support full keyboard in pre-boot mode)
But, the thing to remember as you look at multifactor identification is that it’s vitally important you communicate and train your users on what it is that they’ve got to do! For instance, if they are required to have a starter PIN and a USB key, you’ve got to remind them that they should NOT be keeping their BitLocks or authentication key in an easily accessible location, like on a sticky note or a USB stick that’s sitting right beside the laptop. It’s important to be sure you store the keys separately from the data because you potentially have a problem otherwise.
WHAT IS THE TPM?
It is an onboard system that provides a root of trust that seals the encryption keys and can protect against off-line attacks. As already noted, the thing to remember with TPM, if you’re going to use it, is that it must be version 1.2. (If you’re on a newer system, you’re probably in great shape.) For some older systems you might need to look back and see whether this is still a viable option.
One other thing to bear in mind regardless of how users are authenticated – you will need to disable the use of standby mode for any portable computers. For any laptops with BitLocker on the OS, it’s only in effect when the computer is turned off or in hibernation mode. So, no sleeping for you road warriors.
WHAT IS THE RECOVERY PASSWORD OR KEY?
The next thing after authentication is to plan for recovery key management. It’s a 48 digit randomly generated number and it’s created during BitLocker setup. If the computer enters recovery mode the user will need to type in this password in order to recover data. It will be required if the machine goes into recovery mode.
WHAT MIGHT CAUSE IT TO GO INTO RECOVERY MODE?
There are a number of different things that could do it. An update to the Bios could potentially do it, updating the option ROM, upgrading any early boot components that potentially cause a problem, or forgetting the PIN, simple as that. A user who has forgotten the PIN when PIN authentication has been enabled can potentially trigger a recovery process.
If you do have a recovery process, now the user needs to have the key. If they have the key, that’s perfectly fine, but how do they store it? Again, key security becomes very important to bear in mind. If a user is worried that they’ll need the key, he or she is probably going to keep it pretty close to the laptop/desktop, and that will potentially give you 1) – a management headache, and 2) – a key security headache.
Are those keys actually secure? Written down on a sticky pad, or printed off and tucked away in the same briefcase as the laptop containing the data!?
WHAT ABOUT REMOVABLE MEDIA?
Another thing to consider is removable media. BitLocker does come with a solution called BitLocker-To-Go, which allows you to encrypt data on removable media. But one of the problems with BitLocker-To-Go is that it can be very slow in provisioning larger capacity drives. I’ve seen a 1 GB or 2 GB USB stick take up to a half an hour to format. And if you think about a user who is sticking in a USB stick, they’re not going to wait 20 minutes or half an hour for that stick to be formatted ready for encryption. What might happen is they will pull the USB stick out because they’re frustrated. And that, by the way, will corrupt all of the data. That’s a problem!
One of the other things is that a lot of people have 1 TB external drives they use for backups connected via a USB stick. If I were using BitLocker-To-Go, I don’t know if I would have the patience for the provisioning time, let’s put it that way. Removable media is an area that you need to consider because of large external drive capacities and also because of the use scenario for the end user. If they’re waiting 15 or 20 minutes to half an hour or longer for a USB stick to be formatted, they’re going to get frustrated and they’re going to find other ways of sharing data. For that reason, BitLocker-To-Go may not be the ideal solution for most users.
WHAT ABOUT ENCRYPTING NON-WINDOWS 7 MACHINES?
Now let’s visit encryption for non-Windows 7 machines. There’s very little likelihood that the Windows 7 environment is going to be entirely Windows 7. In most organizations there is still a fairly sizeable population of Mac OS users – and in some cases that number is growing. Mac users tend to be big fans and they tend to want to keep their Macs. And it may be in the creative department. It may be at the management level. It could be anywhere. Mac OS is a substantial platform that exists within a lot of environments, 10 to 15 percent of some environments in fact. That’s something you need to consider as you look at complying and protecting data across the entire organization.
Windows 7, of course, is not the only Windows version that’s out there today. If your organisation is in line with market norms, you’ve still got Windows XP on up to a third of the machines out there in your environment. I don’t know how fast you’re able to get the transition to happen, or whether you might want to reuse and recycle some of those machines for lower-end users … In either case, you need to consider protecting the data on those devices as well.
Additionally, you’ve got a growing population now of mobile OS platforms that are becoming more and more of an issue that you need to consider as you look to the future and protecting data across your entire organization.
If we take a look at a few stats that were released last year, the vast majority of organizations have multiple administrators managing encryption keys and integrating security into your existing IT processes. Integrating all of those security admin jobs into the ability to manage everything in a single pane of glass can bring with it enormous benefits. It’s both a reason to move to BitLocker and also to look at how you manage BitLocker. A lot of organizations have multiple different encryption technologies in place with three or four or five different management consoles. If you’re able to integrate there and find the opportunity with BitLocker and the other systems in your environment to manage it all centrally, then you’ve certainly driven some benefit for your organization and for end users, and of course for compliance reporting.
WHAT ABOUT COMPLIANCE?
This brings me to the next point – about the need to understand your compliance environment. Data encryption is specifically mandated under various regulations – and even where it not mandated, there’s a strong emphasis on encryption as a recommended best practice under various regulations. HIPAA and HITECH for instance do not mandate encryption – but it does give you safe harbor should a USB stick or a laptop with sensitive data on it be lost. If that data is encrypted then you don’t have the same notification requirements that are in place for non-encrypted data.
Something else to think about is what kind of reporting you’ll need. Is it organization-wide? Possibly. The ability to report to auditors and to management in the organization as to our data protection status is often crucial in regard to the number of endpoints, the types of endpoints and types of devices where data is flowing to – and the ability to enforce encryption of the data as it moves about. Management will want reporting and outside auditing agencies will want it as well. They will want to see that you are putting the right security profile in place.
FIPS compliance is another very important factor for some organisations, and while BitLocker does allow you to achieve FIPS compliance, it is only possible to do so if users do NOT create recovery passwords. The fact that these passwords are going to be, most likely, very close to the machines is, I guess, one important reason that FIPS compliance is gone – but there’s also the fact that the recovery keys can be stored in clear text within active directory, which again loses your FIPS compliance. So is FIPS compliance an important factor for you? Certainly worth thinking about.
CREDANT BITLOCKER MANAGER
Credant BitLocker Manager is a solution that’s available that gives you a single management console for all of your data protection requirements. You’ll have full management control not only of your Windows BitLocker machines, but also potentially of all of the endpoints in your environment. We are able to give you full management and control of BitLocker itself including automation of the TPM initialization and management. You can leverage group policy settings to set features around encryption strength. Drive access controls. Drive recovery. Deployment options. We’re able to help you in terms of rolling this out and setting up your policies and then managing those policies. We’ll give you standardized recovery key management. All of the recovery keys are securely escrowed and encrypted, so that you’ve got much more security – and you retain FIPS compliance if that’s of concern for you. Credant offers automated management of the trusted platform module, and very flexible management in terms of the ability to manage different groups, different users, all the way down to the individual user and the individual device.
As I look to what the biggest benefit here is, it’s hands down around integration. The BitLocker manager solution will help you to manage all of those BitLocker devices. You can integrate it with the Credant Enterprise product that will allow you to manage all of the other devices in your environment. It will allow you to manage all of your old Windows XP, Windows Vista or Windows 7 non-BitLocker machines and it will also allow you to manage all of your Mac OS machines – all from a single pane of glass!
Additionally, instead of using BitLocker-To-Go with it’s many issues – the Credant external media solution is best solution in the market for protecting data on external media devices. It gives users quick and easy protection for data on any of their external media devices; ensures very comprehensive visibility and reporting capabilities for management; and gives IT the ability to set policies around what kind of data can be moved to external media.
We can integrate all of that into one pane of glass so that you get much simpler management, much more complete reporting and auditing. There’s a lot lighter workload for compliance related auditing because compliance reporting is built into the solution and will allow you to generate reports at a companywide level down to an individual user level. When the CFO calls and says, “I lost my laptop at O’Hare on my last business trip, can you tell me what’s up?” You’re able to very quickly go in and take a look and confirm that the encryption was in place. While the CFO is going to be unhappy that he has to get a new laptop and configure it, he can be very happy that all of the sensitive data on his laptop was not lost.
Again, integration is probably the biggest area of concern for a lot of our customers. It is an area that the Credant Manager for BitLocker is able to provide you support on so that you get a lot lower gaps in your coverage.
FULL STEAM AHEAD
So – as I’ve discussed, BitLocker does have some clear advantages – and with your Window 7 rollout either in process already, or going to be in process very soon as you look at refreshing your PCs, BitLocker does work very well for some users. However, BitLocker does have some limitations. It’s important to think about what your authentication policy’s going to be. It’s important to think about what your recovery key management policies are going to be. Very important to consider removable media. Compliance is a key driver for a lot of organizations. It’s important that you understand which regulations you’re held accountable for – and what’s required in order to achieve compliance.
As you roll out Windows 7 you’re going to get the benefit of enhanced security in a number of ways and enhanced performance over some of those older Windows XP machines. There are a lot of great, positive things to do with the Windows upgrade.
So full steam ahead, but just remember some of these tips and tricks and try to make sure that you’re able to integrate and save on the management cost as well as on the end user side making it as transparent and as easy for the user as possible.
So what does all this stuff mean? I’ve thrown a lot of numbers and stats at you. I think there are really three
significant trends that we see when we talk to organizations about what are they worried about from a security perspective. First, we’ve got of all this change what traditional IT has to encompass. We’ve got Bring Your Own Devices, consumerization, virtualization and we’ve got cloud services. We have all of these things occurring right now and sort of churning the infrastructure of IT. All of those things are increasing the complexity of management of these systems and that’s not a good thing. We know that makes things harder to track. Harder to keep safe. Harder to report on and prove compliance. At the same time, the physical implantation of IT is changing. The way that the information is used is also changing. There’s an incredible increase in the mobility of data and I think that’s going to only keep accelerating. Information is moving faster and in greater quantities to more places than it has ever done in the past. And it will continue to accelerate and as a result, tracking that information, understanding who has it, where it is, and so on. Who has access to that? Should they have access to this information?
Meeting order and compliance requirements and so on is becoming extraordinarily difficult. I think finally, you know, in case you hadn’t noticed, insiders are a major problem. At the same time, controlling the way that insiders interact with information is also becoming a serious problem. Because of the Bring Your Own Device revolution, because of consumerization, the ability to manage insiders and the way that they use information is eroding away.
If you think about what people really want, if you think about what your users are going to be asking you for, they are expecting and demanding access to information anywhere, anytime, on whatever device they want to use. They want it now and they want it fast. They want to share it with whomever they need to share it with. They don’t want security to be a roadblock to that access.
At the same time, organizations are responsible for staying in constant control of that data. We have to control who has access to it, maintain visibility, and manage the ability to manage access to that information. These are two really conflicting requirements. They are in a sort of dynamic tension with each other, and that has to be managed.
And of course, as I mentioned earlier, cloud is really throwing gasoline on that particular fire. Two hundred and eighty eight million – if you don’t recognize it – is the number (at least) of files uploaded and accessed on Dropbox every day. That’s about a million files every five minutes. I go back to the nine percent of organizations that don’t think they’re going to see increased cloud usage this year and I say, au contraire, I think they’re already seeing an increase in cloud usage. I think increase in cloud usage is occurring inside those organizations or is occurring on devices that have been or are attached to those organizations.
End users are bringing what are essentially consumer initiated cloud services into businesses to share, to collaborate, to move, to backup and to store files in incredibly large quantities in a way that is beyond their current ability to control. This is the poster child for consumerization and its impact on our ability to secure information over the next ten years. In all honesty, most organizations have yet to get their arms around this problem.
In order to get our arms around this problem, we have to move from thinking about devices to thinking about data. It seems pretty obvious because the devices are out of our control, proliferating at a rate that we can’t manage, or are simply virtual devices that exist somewhere else. We’ve got to think about data and data-centric security. The best way to do that is to focus on building data-centric security into the way that we think about information security in general. It’s the only way to meet the challenges of consumerization and mobility. But to do that, we’ve really got to focus on the core of data-centric security, and I would argue very strongly that things like encryption and tokenization are what essentially make data self-defending. They both have to remain as the fundamentally enabling approach for data-centric security. By enabling, I mean it lets you build a data centric security mechanism, but it also enables your organization to take advantage of new technologies and new approaches to more easily facilitate what your users want to do. To do that though, you’ve got to ensure that security is seamless. It has to just work. If I take information from a thumb drive, move it onto my laptop, move it into a virtual platform, and then move it off there into a cloud storage that I access from my smartphone or tablet, all that stuff has to just happen. It has to happen in a way that doesn’t impact my ability to get my job done. Ultimately, building that capability is the core challenge for IT and IT security over the next five to 10 years.
What about you? What do you think about these core problems? What other threats are you seeing? If you have any questions, comments or feedback, I’d love to hear it. At CREDANT, we work with some of the largest organizations in the world to help them build seamless data-centric data protection that allows employees to get their jobs done without causing problems. We do it in a way that reduces risk and reduces the risk of a breach seamlessly so information can move from device to device in a managed and secure manner.
The recent release of the Cloud Security Alliance’s first whitepaper on Security as a Service is an important step for a lot of reasons.
As part of the important debate around the impact of the cloud on security practices, it’s important not to forget that the cloud can also be a positive force when it comes to information security. There’s no doubt that a wholesale move of sensitive data into cloud storage and processes is being held back by a raft of operational security concerns, as well as compliance and audit complexities. But at the same time the opportunities to actually improve security overall do exist.
In this white paper, the CSA outlined 10 types of service deliverables through the cloud itself:
- Identity and Access Management
- Data Loss Prevention
- Web Security
- Email Security
- Security Assessments
- Intrusion Management
- Security Information and Event Management
- Business Continuity and Disaster Recovery
- Network Security
At CREDANT, we’ve been closely involved in this initiative, because it’s something all of us feel very strongly about. There exists an opportunity to both improve the quality and availability of key security technologies using the cloud as a delivery mechanism.
In our case, with our singular focus on data security, encryption was the obvious vehicle. The role of encryption in enabling data to be securely stored in the cloud is pretty much universally accepted. However, the big hurdle that must be crossed now is to make the key management of that encryption secure, simple and cost-effective. If we can do that, then the opportunity to significantly move the safe use of cloud services forward will be immense.
There’s a massive amount of pent-up demand for cloud services, and making those services safe to use will have a far reaching impact on opening the cloud up for business. And that’s something worth working on.
On the off chance you missed any news outlet the last 30 days, an “anti security” movement has been reborn. Started in 1999, the Antisec Movement focused on encouraging security consultants and hackers not to disclose vulnerabilities to vendors. The recent resurgence of this movement has also morphed it into a campaign focusing on demonstrating the current weaknesses of security on the Internet. This is being brought to light via mass intrusion and the subsequent publishing of sensitive data such as e-mails, customer information and database details.
The most recent rash of high-profile compromises can be tracked to a group known as LulzSec, a splinter group from the bigger Anonymous collective. Along with other recently formed groups such as “Uberleaks” (@uberleaks on Twitter), we saw dozens of small breaches a day that resulted in private information being exposed. Even with “Uberleaks” apparently calling it quits, the Antisec movement is still going strong.
While the general trend of increasing data breaches is easier to understand, some of the breaches themselves become problematic to DatalossDB.org, a project designed to track such breaches. If a breach is problematic to a group of volunteers that have been tracking breaches for years, it spells trouble for consumers. Take for example the afore mentioned “Uberleaks” group. Starting out on Twitter and quickly creating their own web site to flaunt their breaches, their own cataloging of their activities was confusing.
On June 24, the DatalossDB team discovered their Twitter feed and immediately began investigating their declared breaches. Their ‘Releases’ web page showed a list of breaches without any numbering. The associated Pastehtml pages (a site they used to dump the pilfered information) numbered the breaches. That day, we discovered what they called breach #19, yet their own Releases page only showed 17. Incidents #6 and #14 could not be found. Further, incident(s) #9 and #10 were two different breaches, but both were attributed to “goodtasteinternational.com” (our investigation suggested one was actually worldmusicinstitute.org). Incident #12 was attributed to maxprotech.com in some places, but snap.nal.usda.gov in others. With such discrepancies, tracking these incidents becomes a challenge.
By the next day, “Uberleaks” had posted incident #27, but appeared to have an extra one thrown in that was not numbered (www.bbbsireland.ie). Later that day, another DatalossDB moderator had done additional digging to determine one incident did not have PII, found incident #14 was not going to be disclosed but involved a university and that several of the breached sites appeared to be old and no longer used by members. She contacted some of the sites warning the of the breach, but did not hear back.
Taking all of the above into account, how is the average consumer supposed to deal with these types of breaches? With so many incidents occurring, the mainstream media simply cannot write an article for every single one. That leads to the question if these organizations had any idea they had been breached and their information thrown out to the world. If an organization isn’t aware, they cannot warn their customers and begin to take additional precautions for data security. We cannot find any evidence these attacks were anything but so-called “low hanging fruit”, sites that had very simple vulnerabilities that were easily exploited. This helps to explain how one small group (guessed to be 2 or 3 people) could compromise so many sites in short order.
Is this the tip of the iceberg? The Open Security Foundation (OSF) believes so! Unfortunately for consumers and ourselves, this will only mean more headache in the near future. When we have to spend time researching who was breached in the first place, rather than simply cataloging a list of organizations, it spells disaster. On one hand, at least we know an incident occurred and have leads on tracking it down. On the other, without mainstream disclosure and customer notification, the published information becomes that much more vulnerable until details are established and corrective measures taken.
In the coming months, data breach tracking will become more challenging and time consuming. Consumers will come under increasing risk for having their information exposed, while companies irrationally rely on “there are juicier targets than us” as a means of defense. In the mean time, consumers should be that much more diligent in pressing companies to take data security seriously, but also be mindful of what information they give companies as they establish new relationships.
Guest Blogger Brian Martin of the Open Security Foundation (OSF)
Open Security Foundation provides independent, accurate, detailed, current, and unbiased security information. Open Security Foundation runs the Open Source Vulnerability Database (OSVDB) and the DataLossDB. DataLossDB is a research project aimed at documenting known and reported data loss incidents world-wide. The effort is now a community one, and with the move to Open Security Foundation’s DataLossDB.org, asks for contributions of new incidents and new data for existing incidents. OSVDB’s goal is to provide accurate and unbiased information about security vulnerabilities in computerized equipment. The core of OSVDB is a relational database which ties various information about security vulnerabilities into a common, cross-referenced data source. Data is acquired from common security industry sources, entered into the OSVDB database, and cross referenced with existing information.
I’ve worked with HIPAA compliance ever since it was signed into law in 1996. Over the years working with many covered entities (CEs), and ever since HITECH was signed into law a very large number of business associates (BAs), I’ve heard some of the same questions. One I am getting more often from BAs, who for the most part are just now realizing that they need to get into compliance with HIPAA and HITECH, is: “With what parts of HIPAA and HITECH do I have to comply?”
BAs, as well as CEs, need to understand that they must comply with all HIPAA Security Rule and HITECH requirements. CEs need to comply with all HIPAA Privacy Rule requirements, and BAs will need to comply with them as well, depending on the types of services and products provided to CEs. An important point is that CEs and BAs must safeguard protected health information (PHI) at *ALL* times according to all the regulatory requirements.
I recently had a BA that provides cloud services to CEs tell me that they did not think that they needed to follow the HIPAA Security Rule Physical and Administrative requirements since they were a cloud service, which they viewed as being a strictly technology-based service, and since they used an outsourced data center. So, they thought they only had to follow the requirements listed within the Technical Requirements of HIPAA (45 CFR §164.312). Au contraire, mon frère! You cannot be selective in this way.
I had another BA tell me that they received patient databases from a CE that contained names, email addresses, mailing addresses, and assorted related medical information. They understood that the data had to be protected when it was sent from the CE to them, because they understood that it was PHI coming from the CE. Where their confusion came in was what they had to do after they received it. They asked, “We can send these files on to the companies who do outsourced work for us without any special security, right? It’s no longer PHI if we are sending it to a company that is not a CE, right?” WRONG!
Unless it has been de-identified (another topic for another time), PHI remains PHI after a BA receives it, and throughout any business processing, storage, subcontracting or other activity that occurs. Think about it; you want your doctor to protect your medical information and ensure they protect it so that it is not used inappropriately, and not shared with others who don’t need it, don’t you? Well, if they pass it along to some other organization to process, store or otherwise use, don’t you want that other organization to protect it just as stringently? One of the goals of HIPAA and HITECH is to ensure PHI remains appropriately secured no matter who is handling it. It’s all about protecting PHI, not about who is touching PHI. That’s an important point to understand. HIPAA/HITECH compliance is basically all or nothing; it’s not a pick-and-choose proposition.
Guest Blogger Rebecca Herold
Rebecca Herold, CIPP, CISSP, CISM, CISA, FLMI, is owner and CEO of Rebecca Herold & Associates, LLC, is partner in Compliance Helper, has been an adjunct professor for the Norwich University Master of Science in Information Assurance (MSIA) program since 2005, is working on her 15th published book, was recently voted the 3rd best privacy advisor in the world by Computer World, in addition to doing many other assorted information security, privacy and compliance activities. Rebecca Herold is also the author of the Realtime eBook Understanding Data Protection from Four Critical Perspectives available from CREDANT Technologies.
In my last post, I took on the argument that organizations in general are fairly indifferent to information security. Yes, the breaches we see hitting the headlines are bad, but they hit the headlines precisely because they are news, not because they are the norm.
However, I also made the point that I think things are going to get worse before they get better.
What we see now is the first ripples of a change that is occurring in the very way we will have to think about information security. The real splash is yet to come, and when it does, to quote paraphrase Robert Bolt, the wave may swamp more than a few boats.
For a long, long time (at least as is measured in the computing industry) security practice was the security of “stuff.” It was measured in firewalls deployed, network packets sniffed, devices monitored, locks on doors. And all these things are good, of course. Nothing here is going away, but the center gravity for information security has shifted and it has shifted away from “things” and towards “information.”
This may seem self-evident, that information security is about the security of information but it would be a mistake to assume that’s the case. Partly this is the driven by the history of security functions – they were often an offshoot of the IT department and therefore inherited an understandable bias towards network and machine security. It really took the emergence of both compliance mandates and breach notification laws to start to accelerate thinking towards information-centric security and that shift is ongoing.
But while this sea-change is occurring, cross currents are further churning the waters. The emergence of cloud computing models essentially tears away the capability to manage security from a device-centric perspective, rather like ripping a band-aid off. It’s painful, and it’s happening quickly.
As a result of the pressure from business leaders to adopt cloud computing services, the security industry is being forced to quickly re-evaluate priorities and capabilities. Thinking about the security of devices becomes far less important when the devices in question are virtual, hosted off site, and beyond your control. Information-centric security becomes paramount because not only does it represent the core of the problem to be solved (how I keep data safe,) it may also be the only thing over which your organization has control.
Cloud does not just drive a move to data-centric thinking, it demands it. And the companies that are successful in focusing on data-centric will be the ones who can most aggressively adopt, and benefit from the cloud.
The good news is that cloud also offers an opportunity to reset the way we provide security services and capabilities. As cloud offers the opportunity to very quickly offer services at a low cost to almost everyone, the possibility to deliver best-of-breed security to every organization on the internet suddenly opens up, and that may ultimately have a beneficial effect that vastly outweighs the short-term pain of this transition.
The cloud is going to change the way we consume IT services, and in the end it must also change the way we think about securing those services and the data upon which they operate. The good news is that finally the stars may be aligning, and good business sense may become the same as good security too.
In a recent article on Drdobbs.com, Andrew Binstock argues that breaches, especially the recent spate of very public hacks into large organizations by groups such as LulzSec, are the result of a degree of organizational indifference to security.
“Given that these hacks were nothing new — every month seems to bring forth a new one — you’d have to conclude that many businesses don’t view themselves as having an obligation to their customers to make sure data is secure.”
I think there’s certainly a kernel of truth here, but I also think it’s dangerous to use too broad a brush when painting a picture of the current state of security. It’s hard to argue that a lot of companies have done a poor job of securing their infrastructure and information. But—and it’s a very big but—a lot of companies have done a far, far better job than they are given credit for.
One of the common features of hacking (whether for malicious fun or profit) is that attackers tend to look for easy targets. In fact, research shows that a lot of successful attacks are somewhat opportunistic. The hacker looks for certain types of vulnerability and then tries to match a target organization with that weakness that they can exploit. Rarely do hackers actually go after specific organizations because of who they are (the attacks by LulzSec on Sony, and attacks on certain defense contractors by “APTs” are more exceptions than the rule.)
In this year’s Data Breach Investigations Report, the Verizon Risk Team (along with the US Secret Service and others) identified 83% of all the attacks that they investigated as being opportunistic in nature. The attacker picked that target because they exhibited a vulnerability that the attack knew how to exploit. In only 17% of cases was the company targeted first and then a vulnerability sought.
What this means is that in the vast majority of cases, when hackers encounter an organization whose security *is* strong, they simply move on. Like predators in the animal kingdom, hackers seek the weakest targets simply because that is the most efficient (and risk-free) use of their time and resources.
What hits the headlines, then, is not a representative picture of how enterprises approach security, but rather a somewhat skewed view; in much the same way that the news headlines paint a rather different picture of life than is experienced by most people. What we see is the result of successful attacks on organizations that, for some reason, whether bad luck, insufficient resources, or yes, organizational disinterest, looked like an easy target to the wrong attacker at the wrong time. It’s not good, but perhaps it’s not as bleak as the article suggests.
I also think there’s another set of factors at work here, compounding the problem for businesses and government agencies struggling to catch up with security best practices. In fact, I think the worst is yet to come, but there is also tremendous opportunity, too. In my next post, I’ll discuss what I think those factors are, and why the problems of today may well be signposts to the solutions for tomorrow.
Back in May, the White House proposed sweeping new data breach legislation. The purpose of the proposed law is to simplify the various State reporting and notification obligations of companies when they (inevitably) lose the personal information of their customers, agents or employees. Generally speaking, those laws require companies to encrypt their data so as to avoid the harsh consequences of losing “clear text” personal information.
As I stated in a previous blog post, the proposed legislation creates new obligations on companies that handle personal information. In particular, when companies that are subject to the new law lose data, they will have to conduct a Risk Assessment as to the loss and notify the FTC of the results of the Risk Assessment. As in the past, centrally-managed encryption is one of the easiest ways to “pass” the Risk Assessment.
But what about small businesses? They are clearly covered by most of the State breach notification laws. Will they be subject to the proposed Federal law? Not necessarily. The new legislation only applies to those companies that possess “sensitive personally identifiable information about more than 10,000 individuals during any 12-month period” (§101(a)). While some will certainly have that much data, many small (and even medium-sized) businesses will not have that many records. They will therefore not be subject to the new legislation.
So if the Federal law will not apply to small businesses, will the pre-existing State laws remain in effect for them? This is unclear. The proposed legislation includes a preemption provision stating that “[t]he provisions of this Title shall supersede any provision of the law of any State . . . relating to notification by a business entity engaged in interstate commerce of a security breach of computerized data” (§109) (emphasis added). Did the White House intend to reduce the regulatory burden on small businesses? Possibly. But not likely.
As we watch for congressional action on this point to see if congress clarifies the applicability of the various breach notification laws to all businesses (see, for instance, Senator Leahy’s proposed Bill), the best course of action for every business is to encrypt its data. The common denominator for all of the legislation that we have been watching is that encryption protects companies from broad notification obligations.
The White House announced several interesting cyber-security initiatives yesterday—one of which is a proposed Federal Breach Notification Law that is being sent to congress for consideration. On a briefing call directed to the security industry, they made it clear that this law would pre-empt the various state laws in an effort to simplify compliance and enforcement. I am not so sure that they accomplished their goals.
Although the proposed Law presents many things that need to be considered, in essence it requires:
1) Businesses other than those covered under the HITECH Act (engaged in or affecting interstate commerce that use/possess personally identifiable information on more than 10,000 individuals during any 12-month period [note that this doesn’t cover every entity that is covered under the various state laws and so will present an interesting pre-emption issue—likely to be the subject of a future blog post]) who experience a
2) Security Breach (defined to include “loss”) of
3) Personally Identifiable Information (such as government-issued identification numbers, certain combinations of personal information, biometric data, and unique account identifiers [note that this last category is an interesting inclusion—likely the subject of a future blog post]) must provide
4) Prompt Notice (by letter or telephone call unless the individual has properly consented to e-mail notices AND if the breach affects more than 5,000 individuals, also provide notice to the applicable media and the consumer credit reporting agencies) unless they conduct a
5) Risk Assessment that concludes that there is no reasonable risk that a security breach has resulted (encryption and other means of rendering the information unusable in a generally accepted manner creates a presumption that “no reasonable risk” exists)
a. Note that this presumption may be rebutted by “facts demonstrating that the security technologies or methodologies in a specific case have been, or are reasonably likely to have been, compromised”
b. Note further that these Risk Assessments must be conducted “in a reasonable manner or according to standards generally accepted by experts”
6) Note that even if an entity has encrypted or otherwise protected the information, it is still required to notify the FTC of the loss or breach and provide the results of the Risk Assessment.
My initial reaction is that encryption is still the best way to guard against breach notifications—but companies will now have to be more vigilant about their actions post-breach. They will now have to conduct a Risk Assessment each time there is a loss or breach and then notify the FTC of the results (potentially including log information). Proof is critical.
The other day I commented that we need to make DropBox safe for the enterprise. I mean there have got to be millions of users who put work stuff in DropBox so as an industry we need to make sure all that data is safe, right? Sure. Of course. But how?
Ah, that’s where it gets tricky. As any security professional will tell you, electronic privacy is hard to do well. It requires a host of technologies like encryption, key management, identity management and authentication. More fundamentally, it requires that the provider and the customer agree on something called a threat model or risk profile.
What this means in the case of DropBox and other storage providers is that users really should answer several questions:
1. Who owns the data I’m putting in DropBox? – This is the person or organization responsible ultimately for protecting the data. And this will be the party that law suits, subpoenas and other unpleasant realities affect if the data is inappropriately disclosed.
2. Who should be able to view the data I’m putting in DropBox? – Is the data owner okay with data going into DropBox being public or should it be kept private?
3. What consequences would result from public disclosure of this data? – Who could be hurt?
4. Is it possible that anyone would want to use this data for illegal or malicious purposes? – What might the impact of that be?
5. Would someone be able to tamper with this data without my knowledge? – How can I continue to trust the data?
These and other questions make what started to be something so simple to help users get their job done, a very serious consideration for most enterprises. When you stop to think about these questions, you reach one conclusion. Users should treat most providers like DropBox as publically visible file shares. In other words, only put files in DropBox if you are okay with those files being available publically at some point – because they just might become public someday.
But wait! There’s another side to this. Some vendors provide encryption to give user data privacy. That security may be built into the service or it may come as a 3rd party add-on.They say it’s military grade, AES-256 encryption. That’s the best encryption available, right? Right. So that takes care of it right? WRONG!
Cryptosystems are difficult to implement properly. So we are now back to the tricky part I mentioned earlier: we have to understand and agree on who we trust and what we want to prevent. Here are a few points to think about in assessing your risk posture with respect to services like DropBox (I’ll generalize a bit and call them cloud providers to avoid beating up poor DropBox unnecessarily since most of their competitors have the same issue):
1. Is it okay for the cloud provider to store your encryption keys? – this certainly makes it easier for you but what new risks does it expose you to?
2. Even if they don’t store the encryption keys, is it okay for the key to be open and used for encryption within the service? – In other words, will you allow the provider to use your open key to encrypt and decrypt data, even if they have to get the key from you? Why is that an issue? Because if they have your open encryption key, it’s possible that they or some malicious code could access your data.
3. How does the encryption key get opened? – Does it open automatically or require a user credential first? Obviously automatically is more transparent but prompting for a user password can be disruptive to your users. Where do you draw the line?
4. Is access to the data audited? – How do you know who is accessing or attempting to access your data?
5. Can you prove that the data is encrypted? – This is the fundamental question for auditors and a requirement if you want to show those pesky folks that as an enterprise you are taking the right steps to protect your data – even in the cloud.
The questions could go on and on, but you get the point. Not every user or enterprise has the same answers to all of these questions. There’s no one-size-fits all cloud security.Instead we need to start talking about Trust Models to better frame the conversation of what’s okay and what’s not okay in the cloud.