How Do You Deal With Sensitive Data? 226
imus writes "Just wondering how most IT shops secure sensitive data (customer records). Most centrally managed databases seem to be monitored and maintained very well and IT workers know when they are tampered with or when unauthorized access occurs. But what about employees who do legitimate selects from these databases and then load CSV files and other text files onto their laptops and PDAs? How are companies dealing with situations where the database is relatively secure, but end-use devices contain bits and pieces of sensitive business data, and sometimes whole segments? Does anyone use sensitive data discovery software such as Find_SSNs or Senf or other tools? Once found, how do you deal with it? Do you force encryption, delete it or prevent extracts?"
Policies (Score:4, Interesting)
At a technical level, every laptop/portable data storage device should have its hard drive encrypted. Disable USB ports if you can get away with it, or at least put software on which forces encryption of files sent to USB keys. That will cover most of your issues.
Users will legitimately require access to sensitive data as part of their job; the IT department should have the power to ensure they don't do it in a way that exposes the company to the embarassment of losing a laptop with SSNs in the subway...
Once found, here's what you do (Score:5, Interesting)
Once found, how do you deal with it? Do you force encryption, delete it or prevent extracts?
First off you need to have a policy on who is allowed to extract it, and how they should handle the data (be it encryption, keeping the data on-site, etc).
But here's the trick: If you find data kept in violation of the policy, you send EVERYONE to training. I'm talking mandatory training where they lose computer access (and thus, don't get paid) until they do the training. All new hires have to do it, too. Make it really boring, and administered after normal work hours.
After the first time everyone is sent to training for some poor schmuck being careless, I guarantee nobody will ever violate policy again.
Don't let PHB run the show and don't buy from golf (Score:3, Interesting)
Don't let PHB's run the show and don't buy based on golf course meetings.
Laptops: Yes PDAs: No (Score:3, Interesting)
I can't imagine a need for an employee to have any bit of our client's data on their PDA. There's really no excuse for that at all.
As for laptops, sure, we issue our employees laptops, with which they are able to work from home via VPN. There are occasions where the employee will have to save and modify excel spreadsheets, or CSV files, as you mentioned.
Ideally, whole drive encryption would be utilized, but it's not (yet) in our case. I've been behind the times implementing that.
Re:Once found, here's what you do (Score:5, Interesting)
Causing several unproductive hours for the majority of the work staff doesn't sound like a good idea to me.
Actually, I was being mostly facetious....
Except that it is how several companies do it, due to government contracts, insurance, and (gasp) congressional decree.
I honestly had to take several training courses (yearly) because someone screwed up. And when that happens, the peer pressure is really increased to not screw up.
One time, a person randomly tripped in the hallway, and the potential workman's comp issue was terrifying. I joked that we would have to go to training to learn how to walk. And guess what... "paying attention while walking" was added to an existing mandatory training course!
Ah, government work.
Re:Why do they need access? (Score:3, Interesting)
This is how we do it... (Score:4, Interesting)
Well, in our environment, (an insurance company), the system will allow those authorized to copy data onto their notebooks, but what happens is that what actually gets written or copied are not the actual data. From what I know it goes something like this:
Say the actual Name is John Doe and SSN is 123-456-789 and DoB is 1976-12-08, what gets copied is something like Name: XvfC Gzd, SSN: 908-954-213, DoB: 2788-98-98.
So you work with the dummy data instead of the actual thing. Once done with whatever you wanted to do, the data get processed to reflect the needed changes before being written to disk.
Even after getting written, committing only happens after rigorous checks.
Unless your process is driven by marketing (Score:5, Interesting)
And you might have gotten away with it too, if it weren't for those pesky kids... from marketing and sales.
Honestly, I don't know about government, but it most other places it seems to invariably be some sales or marketing guy who's lost a hard drive full of SSN's and contract data and whatnot. I guess it's simply a tale of greed. The prospect of selling an extra copy/insurance/account/contract is tempting enough to override all other concerns. So when you try saying that Mr Marketing GOD can't take all that data with him, guess who wins? Remember also that he's the guy who knows how to sell stuff to people, including his side of the story, while you're probably the security nerd that doesn't even speak management.
To go on a roundabout tangent towards how _I_ would fix it: the funny thing is that the market can work in funny ways too. In a "bad money drives good money off the market" way. It applies to more than that. E.g.,
- if some people can get away with tax evasion or corruption, they undercut and drive off the market the honest merchants. (See most of the ex-Communist Bloc.)
- if some people can get away with monopolistic behaviour, they drive off the market those who don't. (See MS.)
- and if some people can make a few extra bucks or save some costs by wiping their ass with your privacy, they gain an avantage over those who don't, and may eventually even drive them off the market one way or another.
Etc.
The thing is, the free market is just an optimization algorithm. It takes a given set of constraints, and eventually moves the economy towards a more optimal state. Optimal for those constraints. But like any optimization algorithm, you must make sure you set the constraints you need, or the solution may be something else than you expected. Bad behaviours can (and usually are) more "optimal" than good behaviours, if left unregulated. And eventually those who weren't destructive, either get the clue when the others are eating their lunch, or get to get bankrupt/bought/whatever.
So basically what I'm saying is that nothing will really get fixed as long as there _is_ an economic advantage in ignoring privacy and security, and just giving the salesmen anything they want. The only way to fix it is if there was some kind of a negative feedback in the loop. When they'll stand to lose more money by losing your data, than anything they could gain by mis-using it, _then_ they'll start taking it seriously. Until then, nope.
And it's not just a matter of personal principles and doing the right thing, regardless of what everyone else is doing. You're not isolated from the rest of the economy. If anyone wanted to be the "good" guy there, will find that the "bad" guys have an advantage over him. If he doesn't care, maybe his boss does, or maybe the shareholders just get rid of those shares and reward the bad guys instead.
Start at the top (Score:5, Interesting)
The main problem usually happens at the top - or the legal department.
I worked at a place with a clear and documented policy against transmitting sensitive information over insecure networks - including the old text pagers from RIM (prior to the GSM blackberry). It was routine for me to receive sensitive/proprietary information on my pager from legal counsel. When I pointed out their failure to secure that data, they simply said I was paranoid - not that I'd misinterpreted the policy. They were too busy to worry about that. I documented every instance and handed 1 copy to the CIO, another to the secretary of the Chief Counsel and the final with the CEO's secretary since I couldn't get in to see either of them. I did this on my last day working there - left for a better job.
Turns out the new job wasn't any better with important data - they wanted me to recover data from a desktop where they escorted the contractor out of the building. I don't know why. Seems he didn't really use the machine and remoted into his home server and a colo server for almost everything. The contract didn't ensure he placed all the code into the corporate SCS weekly or that he would document it or write manuals. 6 months of hourly cash paid and basically nothing to show for it. I did find a password protected ZIP file full of stuff - took 3 days to brute force it, but it was over 3 weeks old and the code didn't run.
The company didn't even have a $20 background check performed before giving him access to the network. I would have liked a clean drug test too.
Also, being tight at the start of a company is easier than after the barn doors are already open. Most of us start ups don't have the willpower to do this - or the technical expertise.
Re:12345 (Score:3, Interesting)
I have 16 personal passwords at work, and 10 shared passwords.
All change, some daily, some weekly, some monthly. Oh, and did I mention they retain our passwords for 3 years to prevent re-use, and run them against dictionaries so anything not random rejects.
Keeping track of these things is a huge pain, you never know what password you used, and most of the systems have a 3 tries and you're locked policy.
They even have the password databases tied together so if you use one password on one system, it can't be used on a different one.
The end result is every one of the 500+ employees with desks covered in post-its with passwords written on them.
We asked if we could just use one password on all systems, they said it was possible for about 90% of them, but that it would mean one lost password would compromise the whole system.
I mentioned it would be more secure than everyone writing down the passwords on their desks.
They said to lock our drawers with the pw's in them at night.
I said we don't have any keys.
They didn't say anything else.
The next day we got to work and all our passwords were gone, taken from the desks. Management had write-ups for each of us for failing to adhere to our security policy.
So now most of us use a password utility that can be put on a usb stick, and we take them home so they don't get taken. Some people still write them down on paper, but also take them home.
The moral being, due to an over-aggresive security policy, we now have passwords to all our sensitive systems floating around on paper, usb sticks, etc. some people have even taken to just emailing their own password list to themselves, and just remembering the email password.
I work at a large banking/investement support firm. Scary, isn't it?
Re:12345 (Score:3, Interesting)
When it comes to employees, especially non-technical ones, the best bet is to generate a password for them. Have the password printed on a laminated card along with 15 other random passwords. Give this to employee and tell them to (very good) keep it in their wallet or (less good) even post it on a monitor.
Only they know which of 15 passwords it is. If they lose their wallet tell them to call you right after they call the DMV and their CC company.
Check the logs for bad password attempts and then call the user to see if they actually did that. If they didn't, then someone else is trying with their passwords.
Or, move into the 21st century and start using SmartCard logins. They need a card and a PIN in most cases, so just losing the card is no biggie.
Re:Easy (Score:3, Interesting)
Next one, I'll make an example of. That's random.
Next one I'll consider how bad the violation is, and their overall performance, whether or not a warning would be sufficient. That's not random.
Just because you're not playing inie meanie miney moe, doesn't mean your actions are well thought out and non-random.
Re:Unless of course, you're.. (Score:3, Interesting)
You can never pay someone enough that they can't be paid some more to "lose" a laptop with data on it.
We work hard to mitigate corporate espionage (which is surprisingly common), but no matter how much they're paid, someone can get greedy and take a $30k bonus in cash to give up some data.