Hacking

Data Security’s $64 Billion Question: Who Are You?

In today’s Internet-driven world of business, customer data — traditionally the lifeblood of any enterprise — takes on a new and frightening importance.

On the one hand, businesses have to provide partners, staff and contractors access to data; on the other, they have to ensure that data does not get lost by accident — or stolen.

Meanwhile, they have to also cope with the threat of data breaches by organized gangs of cybercriminals who target data in the enterprise.

The computer industry has come up with various proposed solutions, all around one main theme: identity management. Know who’s in your network and why they’re in there. Then you can control access to your applications and data.

The Rising Tide Of Data Loss

From January through May 19 of this year, almost 262 million records containing personal information were allowed to be compromised by U.S. firms, according to Privacy Rights Clearinghouse. In reality, though, that number could be higher — the Privacy Rights Clearinghouse admits its list is not comprehensive.

The figure includes data lost through all means, whether computer-based or paper-based. The Privacy Rights Clearinghouse is a nonprofit consumer information and advocacy organization.

That number would be more than 17 times the total number of records lost during the same period last year, except that precise total figures of the amount of data lost were unknown in many breach instances. The most prominent such case was the breach payment card processor Heartland Payment Systems reported this year. The firm handles more than 100 million transactions per month, but details about the massive breach it suffered are still sketchy.

In other words, nobody knows how much data is stolen or how many people’s records have been exposed more than once. What is known, however, is that data loss is an increasing problem.

The Lowdown on Losses

Customer data can either be stolen by hackers coming into an enterprise system from the outside, which happened in the Heartland breach, or through carelessness or theft by insiders, business partners and contractors.

Organized gangs of cybercriminals are behind many of the attacks targeting banks and companies such as Heartland Payment Systems. The gangs are run along business lines — they’re in it for the money — and strike at targets that give them the most bang for the buck.

As for the internal threat, a survey conducted earlier this year by the research firm Ponemon Institute and security vendor Symantec found that 59 percent of employees who had lost or left their jobs in 2008 stole company information, such as customer contact lists.

Back in September, for example, former Intel engineer Biswahoman Pani, of Worcester, Mass., was charged with stealing confidential documents, including 13 that were designated top secret. He allegedly downloaded them onto his corporate laptop while on vacation.

Carelessness is another major cause of data loss. On May 19, the National Archives and Records Administration lost a hard drive containing 100,000 records, according to DataLossDB, a research project documenting known and reported data loss incidents worldwide. An unknown number of the records had sensitive personal information, such as names, addresses and Social Security numbers.

Rules for Managing Data

Before an enterprise hops out to purchase IT solutions, though, it should set up some data access rules.

Enterprises should first establish which data is confidential and who should and should not have access to that data, Eric Lundbohm, director of Americas marketing at security vendor Marshal8e6, told TechNewsWorld.

They should then educate employees about what the company expects of them in terms of protecting that data, and set up best practices for protecting and using the data.

“Jumping straight into purchasing products without thinking through the process of data management makes the purchase out of phase,” he said.

Once they have set up a process, enterprises should look at installing gateway systems to manage data coming in and going out of their IT systems — especially in email — and control and manage removable devices — at the very least.

“If you train your users and plug your email with a gateway product, you’ve taken care of 80 percent of your problems,” Lundbohm said.

Who Are You?

The key to all security is identity control. Once an organization knows who a given person on its network is, it can then decide what access that person should and should not have, or if access should be given at all.

Several vendors, including Microsoft, IBM, Oracle and BMC Software, have come up with identity and access management solutions over the past year.

These solutions automate role management and make it easier to implement access control and cancel access, or deprovision users, when they leave a company or transfer to other departments.

“Identity answers two fundamental questions: Who are you, and what can you do?” J.G. Chirapurath, director of Microsoft’s identity and security business group, told TechNewsWorld. In the new threat landscape, you can only protect yourself if you understand those two questions, he said.

The Redmond Solution

Earlier this year at the RSA security conference, Microsoft announced its Business Ready Security initiative.

This brings together the notion of access, protection and management around a strong, user-centric identity system integrated with a secure platform, Chirapurath said.

The software giant recently released the second beta of Geneva, its open platform that integrates and extends security across the enterprise, helps protect users everywhere, and lets them access data from anywhere.

More on Geneva

Geneva will also interoperate with identity and access management solutions from various partners. These solutions include CA Technologies Federation manager, CA SiteMinder, Novell Access Manager, SAP NetWeaver and Sun Microsystems OpenSSO Enterprise and Fedlet.

It will let enterprises develop complex, identity-aware applications that have application authentication, attribute lookup, and authorization built in during the development stage, Microsoft said.

Geneva extends Active Directory authentication and single sign-on to cloud-based services so IT can centrally manage access to applications on different platforms. “Microsoft’s position is, security can’t just be one company’s challenge to solve,” Chirapurath said. He referred to the massive Conficker worm as an example of the need for teamwork. “Conficker was a wake-up call for the industry — it was a global phenomenon that was massively put together and that requires a coordinated effort to fight it.”

Big Iron’s Take on the Issue

Microsoft’s approach is good, but tackling the complexities of the mainframe environment may require something different.

“Today, 70 percent of all commercial data and transactions are on mainframes,” Vince Re, senior vice president of CA’s mainframe business unit, told TechNewsWorld. “Mainframes are wonderfully secure and robust, but they’re also very diverse — you have lots of applications and they all have different approaches to authentication, for example.”

That diversity calls for centralized management and control, something other platforms may have trouble coping with because they are not structurally equipped to handle the complexities of mainframe applications.

“Most other platforms, Windows and Unix, have the notion that the user of the resource gets to set the security,” Re said. “You may have thousands or millions of permissions on a mainframe, and separately from making them all work together, you need to ensure that only the right permissions exist and only the right rules are set up to match your corporate standards.”

Why Pick Mainframe Tools?

CA offers a plethora of tools to handle security, identity and compliance. It has two of the top three mainframe security tools — ACF2 and Top Secret. The former focuses on resources, the latter on user identities. For identity and access management, it has Cleanup. It also has role management and governance, risk and compliance tools.

“It’s really hard to implement identity and access management if you have policies scattered all over the place in SQL databases, spreadsheets and so on,” Re said.

“On the mainframe, you collect all those policies in one place and there tends to be an order of magnitude fewer rules which makes it easier to manage, clean up and enforce them.”

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Richard Adhikari
More in Hacking

Technewsworld Channels