Data discovery does not have to be just about security.

Sitting back, looking at his security controls matrix, George felt comfortable with the trustworthiness of systems on which he expects sensitive information to reside.  His database servers are located on segments locked down and monitored by unified threat management (UTM) devices.  The NAS where he expects unstructured data (e.g., Word and Excel files) is encrypted.  Data in motion is also protected, with nothing leaving the boundaries of his network in clear text.  But he has a nagging feeling deep in his gut telling him something is missing.  Then it hits him.  What if users don’t put data where he expects?  Does he already have PII or ePHI stored in risky storage? The worst of it, George realizes, is that he has no tools to help him answer these questions.

George’s situation isn’t unique.  Across the globe security managers working for medium and large organizations are asking themselves these same questions.  The most common barrier to answering them is the absence of an effective data discovery tool.  Most of us have looked at data leakage prevention (DLP) solutions, but the cost is often high.  Further, DLP solutions often provide little value beyond the security controls matrix.  If you’ve done your job and achieved SOX or HIPAA compliance–an assertion verified by external auditors–you may find it hard to get approval for additional dollars for a security-only solution.  But there may be another way.  Why not demonstrate to executive management that the proposed solution will not only solve multiple security problems; it will also address an increasingly painful business challenge—e-discovery.

The DLP products I’ve seen were largely designed for just that, DLP.  E-discovery is typically added as an afterthought due to growing market demand.    However, when I looked at solutions designed specifically for e-discovery I made an interesting discovery; they were not only designed to discover and deal with data at rest.  They also cost much less in most cases.

One of my favorite e-discovery solutions is StoredIQ’s Intelligent eDiscovery module.  The module works without an agent installed on target systems and runs on a network appliance.  Based on the EDRM model, it performs the following tasks (from StoredIQ product Web page):

• Scanning
  Targeted scanning is available by custodian, path, share, server, modify date, and additional key metadata. Expansive scanning helps prove that any potentially relevant ESI [Electronically Stored Information] was not missed.
• Identification by content and metadata
  StoredIQ Intelligent eDiscovery provides topology mapping of potentially relevant ESI by sources, key player names, date ranges, keywords and document types.
• Collection and preservation
  Data objects are copied to central repository, with no alteration of system or object metadata. An audit trail of the copy process is developed that supports chain of custody and authenticity. Original, full-object path, SID and ACL information is properly maintained.
• Indexing and searching
  StoredIQ Intelligent eDiscovery performs content-level culling by full-text indexing your preserved data collection. Data is culled based on input from legal counsel regarding potentially relevant document sources, key player names, date ranges, keywords, phrases, metadata, classifications, concept tags or document types.
• Review-ready output
  Users can produce review ready output of native files with Concordance or standards-based XML load files. The product supports all rolling productions, allows subsequent collections to be compared to prior productions, and permits only the new documents to be produced.

By itself, the eDiscovery module can locate files with sensitive information in locations let you know if they present high risk.  With the addition of the vendor’s Information Governance module,

Policies can be defined to associate an appropriate action (such as retain or secure) and apply it to positively identified and classified objects. Policies are symmetrically scaled across the StoredIQ platform to improve performance and scalability. Deep policy auditing at the individual item level is also supported (Information Governance product Web page).

StoredIQ isn’t the only solution which offers this dual functionality.  McAfee, through its acquisition of Reconnex, offers a similar solution.  The McAfee product, however, is more DLP focused.  It’s able to not only find files at rest.  It can also identify sensitive data in motion.  McAfee claims it will integrate the Reconnex functionality into it’s centralized management product, ePolicy Orchestrator, by the end of 2009 or early 2010.

Both of these solutions, however, provide both DLP and e-discovery functionality at some level.  So it might make sense to speak with your legal team before you try to make a case for a data discovery tool.  Consider their e-discovery challenges when building your requirements and business value analysis presentations.  You should be able to spreading the cost across multiple challenges thereby enhancing the value of your solution.  You might also be able to enlist the legal department as an ally.  Altogether you just might have enough to convince the signer of the checks that he or she is making a good business investment, not just incurring another security expense.

Security success requires user perspective

It’s easy to blame business users and management for data breaches, by-passed security controls, or other risky behavior.  Often the blame is properly directed, but most employees want to do the right thing.  Often doing the right thing isn’t easy, because security controls are too restrictive, preventing users from doing their jobs.  In these cases, the responsibility for insecure behavior may rest on the shoulders of the control design and implementation teams. 

Laptop encryption is a good example.  No one denies laptop encryption is a good idea.  It’s just about the only way to ensure sensitive information is inaccessible when one of these mobile devices is lost or stolen.  However, given the means and the excuse to turn off encryption, users may do just that.  Users who don’t or can’t turn off encryption may instead lapse into other unsafe behavior, assuming that encryption will protect them from everything. 

For example, users may use weak passwords when strong passwords were the pre-encryption norm.  Other misconceptions and insecure behavior include:

• Fifty-nine percent of business managers surveyed “strongly agree” and “agree” that encryption stops cyber criminals from stealing data on laptops versus 46% of IT security practitioners who “strongly agree” or “agree.”
• Sixty-five percent of business managers surveyed record their encryption password on a private document such as a post-it note to jog their memory or share the key with other individuals. Virtually none of the IT security practitioners record their password on a private document or share it with another person.
• Fifty percent of business managers have disengaged their laptop’s encryption solution and 40% admit this is in violation of their company’s security policy.
• Fifty-two percent of business managers sometimes or often leave their laptop with a stranger when traveling.

Source: The Human Factor in Laptop Encryption: UK Study, Ponemon Institute, December 2008

There are many reasons why non-technical users behave in this way, including:

• Poor security design.  If you impose a security control on users without looking at what it looks like from the perspective of the user experience, you will often fail to meet your outcomes.  Users have a job to do.  They’re often under time constraints and pressure from management.  If a security control makes it impossible to achieve business outcomes it will be bypassed if possible.  And no, the answer is not necessarily to lock everything down.  Remember it’s all about balance.
• Poor user awareness efforts.  When you introduce a new control, like encryption, be sure to accompany it with the right message.  Tell users that encryption is an add-on, not a replacement for existing controls.  If a user changes his password from “JYxgCg7d0AzVpg” to “Victoria” because he believes encryption is a “magic bullet”—and prefers to use his daughter’s name anyway—you may have actually weakened your security. 

The best way to avoid these pitfalls is to begin with a series of business use cases.  Use cases help identify scenarios in which users will find themselves up against your controls.  In each case, you should ensure the controls do not stop the user from working.  Explore safe workarounds which enable without opening the wrong door.  Will there be exceptions?  Of course.  But at least you’ve identified them, discussed the consequences with business management, and obtained their support.

Beware Regulatory Hysteria

Regulatory Hysteria: Knee-jerk overreaction to new regulations, often placing individual privacy at risk.

For years, since before HIPAA and SOX, organizations have often overreacted to government mandates.  Some of the blame falls on accountants and security consultants who don’t understand the law, are trying to make a few extra bucks, or are simply covering their own butts. In other cases, organizations simply suffer from what I call regulatory hysteria.  Whatever the reason, overreacting to regulatory requirements can sometimes put customers and employees at greater risk.

Sherri Davidoff writes about a recent incident in which she appears to have been personally involved.  The post, located at philosecurity.org, describes the results of the FACTA and its Red Flag Rules on patient privacy.

Sherri was apparently confronted with a notice of a new requirement to produce a photo ID when she visited her doctor.  Since she didn’t have one, the office staff wouldn’t process her for her appointment.  While she stood there, Sherri observed staff scanning patient driver’s licenses for filing in their computer system.  Sherri was upset that she was inconvenienced and about her doctor demanding additional personal information.  Was she justified?  Maybe.

First, the Red Flag Rules are designed to protect us from criminals who seek to steal our identities for financial gain, including using our health insurance.  Health insurance theft is a big problem and growing.  The rules also help ensure someone can’t receive care under your name and have those results placed in your records, with the possible result of you receiving harmful care based on invalid assumptions about your health.  They are a good idea, and Sherri should simply get a photo ID—although there are other ways to verify identity, and the doctor might try to be a little more flexible.

Scanning of licenses or other photo IDs, however, is another matter.  There is no requirement to scan and store proof of identity.  The requirement is to demonstrate documented processes to:

• Verify a potential patient’s identity
• Report possible identity theft

This particular case looks like butt-covering rather than reasonable and appropriate compliance with the law.  And even if Sherri did produce a photo ID, how much effort is actually taken by the office staff to verify the ID itself?  What training did the staff receive to help them identify fraudulent documents?  Do they even compare the photo—I mean actually look at it—with the person standing in the reception window?  These are more important considerations than getting a scanned copy of a photo ID.  Finally, does the office staff simply accept verbal confirmation of identity for future visits once a scanned ID is in the system?  I hope their scanner is better than most, or picture quality will be close to worthless.

The other issue Sherri wrote about was her concern about the office potentially storing additional information about her in their computer system.  If the office is HIPAA compliant, and ePHI is protected in accordance with the security rule, this shouldn’t be an issue.  If it isn’t, Sherri has bigger problems than not having a photo ID or having an ID scanned.

My problem with Sherri’s visit is different from hers.  There is apparent compliance with the Red Flag Rules.  However, compliance extends far beyond a simple scan of an ID.  If the office manager simply uses the scans as evidence that an ID was produced without requiring trained employees to follow an actual identity verification process, then there is no compliance—just the appearance of compliance.  I think Sherri should be more concerned with how the office staff verifies her identity during each visit, and whether they are actually compliant with the HIPAA security rule, than whether they require a photo ID.

Security Risk Extends Beyond Simple Loss of Data

Laptop encryption as a security control has become an expectation rather than an option.  Organizations worried about data breaches and their possible business impact are spending exorbitant percentages of IT budgets to avoid having to tell customers or employees they’ve lost their personal information.  Couple this with regulatory requirements to report certain types of breaches, and laptop encryption becomes as common on mobile systems as Notepad.  But not everyone agrees with this movement to protect laptop data at all costs.

Even the big picture suggests that spending is poorly allocated. “Thieves got 99.9 percent of their data from servers and 0.01 percent from end user systems, but enterprises spend about 50 percent of their security budget on endpoint security,” [Dr. Peter Tippett, founder of ISCA Labs] said. “They should spend more of it on server security.”

“The cause is a problem I call WIBHI, for Wouldn’t It Be Horrible If,” he said.

He added that it explains laptop encryption. He said that we encrypt laptops not because it will protect them better (passwords are good enough for that) but because we don’t have to report a breach if the laptop was encrypted.

Source: Enterprise Security Should Be Better and Cheaper, Alex Goldman, Internetnews.com, 6 June 2009

I make a habit of reading as much as possible about actual breaches, and I agree that we may be overdoing it a bit when we put multiple layers of security on devices which are not typically the primary target of attackers.  But I have three questions for Mr. Tippett.  What about botnets?  What about loss of access to critical systems due to malware-caused enterprise network shutdowns?  And what about the impact on a business if the public discovers encryption—a security control they’ve been told must be implemented or a business is negligent—was not used on a lost laptop containing personal information?

Business risk extends beyond a simple breach.  Its scope must include all possible negative impact scenarios which might be caused by weak endpoint security.  Yes, it is all about the data, including its availability and public perception—not necessarily based on a scientific assessment of actual risk—of how well it’s protected.  So until potential victims, potential customers, careless employees, and knee-jerk-driven politicians are removed from the risk formula, we will likely continue to spend more than might be reasonable and appropriate in a perfect world.