Posted by: David Schneier
assessment, Audit, compliance, GLBA, NPPI, PCI, PII, regulatory, Regulatory Compliance, risk, risk assessment
Let me begin by sharing a story from the way back files. In the mid 80’s when I was first starting out in my career I was working as a junior programmer in Manhattan. Courtesy of playing on the corporate softball team I became acquainted with a fairly diverse group of people ranging from those in the trenches where I plied my trade all the way up to the executive suite. One of the people I came to know well was senior in the internal audit department. One day I learned that he had been fired rather suddenly earlier in the day, something that definitely came out of nowhere. I came to find out that while under the guise of conducting audit work he had gained access to the companies compensation data file and was logged browsing employee records from the CEO on down. The problem was that he wasn’t conducting any audit that would explain his actions; he was doing it simply because he was curious what certain executives were being paid. Having been caught red-handed and without a viable explanation he was terminated on the spot and escorted out of the building.
This was someone who for all intents and purposes had nothing to gain from doing something so blatantly stupid. As an auditor he was likely aware of the logging capabilities available on the host (mainframe system). He also had direct knowledge of the audit culture and the degree of scrutiny they placed on certain internal artifacts and/or repositories. But in the end his basic human nature created an override allowing him to indulge his curiosity. For me that meant that you could never assume that any manner of stored information was ever truly safe and secure
Thus began my basic mistrust of storing sensitive information in electronic repositories.
With that in mind imagine my horror as technology began a rapid progression away from centralized storage and started spreading out first within the infrastructure to distributed applications and eventually breaching the walls of the data center and finding new homes elsewhere in other companies so-called data centers. Beyond the fact that you don’t truly know how secure your data ever truly is (notwithstanding reports and attestations to the contrary), it now also has to traverse communication lines that despite what you may want to believe are vulnerable in a number of very real ways. And we’re not just talking business data, we’re talking social security numbers, bank account numbers, credit card numbers and, and, and……
I simply don’t trust that any sensitive data is ever truly protected anymore. I operate under the assumption that there are two common states with regards to data security, known breaches and those yet to be discovered. When I’m challenged with the logic that we’re always told about confirmed breaches eventually and so we know exactly how much has been exposed I laugh. All that means is that the hackers and criminal element slipped up along the way; a confirmed breach indicates someone made a mistake. I truly believe that a successful breach is never detected, that the perpetrators behind it figure out the proper balance between skimming data and moving it around for illicit gains so that it never hits the radar.
And I think the threat comes from all over the map. I think it’s often internal, someone on the inside behind the firewall and locked doors or someone with legitimate access to databases. I think it’s sometimes along the way between a transmissions point of origin and its destination. And I think it’s often at points of exposure along the way. I just don’t believe that there aren’t rogue employees at offsite storage facilities that know how to rig the system and grab media with all manner of PII and NPPI with no one ever the wiser. I reject the notion that it’s impossible for employees of the popular SaaS companies to gain undetected access to a wide variety of information typically considered private and secured. I think this happens regularly (if not often) and that as long as we remain blissfully ignorant this will continue to happen indefinitely.
I use only one rule when it comes to how best to protect sensitive data: if the human element is involved in any way your data is at risk.
And if you’re not truly yet at risk, if there’s been no concerning or inappropriate attempts to access your choice data that’s either because they haven’t gotten to you yet on their to-do list or your choice data isn’t as choice as you might think.
If I had it my way everything would be moved back to Big Iron in an internal data center and I’d go hog-wild slapping every conceivable monitoring tool and detection devices wherever possible. Short of that I’d select solutions that could only be run behind my firewall and on telecom pipes that I directly controlled to further minimize my exposure. Oh and I’d probably fire anyone who ever even mentioned migrating to the cloud just to set an example.