SCIENCE AND TECHNOLOGY LAW
Data Protection for Companies
It is now evident that our computer infrastructure is far more porous than we previously imagined. Currently, it is estimated that more than 100 million individuals’ personally identifiable information (PII) has been compromised because of breaches of information technology (IT) systems. Unauthorized access of PII resulted from the theft of laptops, desktops, tapes, and storage media such as CD-ROMs and USB flash-drives, and of the compromise of “data at rest” within online systems. These events present an alarming indicator of the growing sophistication of attacks and the vulnerability of IT systems.
Current problems. A 2007 annual PricewaterhouseCoopers and CIO Magazine Global State of Information Security Surveypresented the following in their survey of 7,200 chief business officers in 100 countries: 69 percent do not keep an inventory of user data; 67 percent do not know where data are stored; 45 percent do not know what type of attacks have occurred; 40 percent do not know how many security incidents they have experienced; and 33 percent are not compliant with privacy laws. Based on these survey findings, it comes as no surprise—despite billions of dollars spent on information security—that attackers have been winning the cybersecurity war.
IT managers have mostly focused on keeping attackers and malfeasant software (malware) out of their systems or detecting them when they do manage to get in so that responsive measures can be immediately im- plemented. They have done this through the use of firewalls, antispam and antivirus software, and intrusion detection technologies. Vendors currently are touting network access control (NAC) and network access protection (NAP) as new solutions to provide security needs.
Prohibiting unauthorized access worked for a while when the Internet was relatively uninhabited. However, as the number of computers, users, computerized business services, and e-commerce activities grew on the Internet, this defense tactic largely has been nullified. Firewalls and malware-detectors are still necessary but are no longer sufficient. Because businesses must keep their e-mail and web ports open to communicate with their employees, customers, and partners, attackers today use legitimate open ports on firewalls to launch their attacks.
Data protection. While IT organizations have been guarding their IT networks at the gates to the Internet, their stored sensitive data has largely been left unguarded inside the networks to anyone with straightforward attack tools. All one has to do is manage to get inside the network to get the sensitive data. If the data comes from outside the network—such as through a laptop, personal digital assistant (PDA), computer tape, flash memory device, or personal music device—all the easier for the attacker.
Traditional data-protection technology has relied on encryption when data traverses public networks. Accordingly, the industry has created solutions that are almost ubiquitous today—secure sockets layer (SSL) for application-to-application encryption and Internet protocol security (IPSec) for machine-to- machine encryption. Although the vast majority of “data in transit” is encrypted, other data known as “data at rest” are typically not.
Only the most paranoid or sensitive sectors of the industry—e.g., the military and banks—have employed encryption to protect their sensitive data despite the use of firewalls and other network-protection tools. Because of the embarrassing nature and sometimes large financial liabilities associated with data breaches, companies outside the military and banking sectors now have begun focusing on data encryption. The recent focus on data-at-rest encryption is welcome, but there is a concern that the IT industry is focusing on the wrong aspects of data encryption. First, there may not be sufficient attention being given to encryption key management—the discipline of managing the lifecycle of encryption keys. Second, there may be too much attention being given to encrypting data at the wrong layer of the application stack.
Key management. Encryption key management, which encompasses the creation, use, escrow, recovery, and destruction of encryption keys, is the most critical part of a company’s data encryption strategy. Inadequate controls directed to key management can provide a false sense of security. Data might be encrypted, but if an attacker were to compromise a poorly designed or implemented key management system, the compromised keys then could be used to decrypt the data.
In a rush to protect data and comply with regulations, companies may be paying little attention to how they implement key management. Some are choosing to design and build their own key management schemes, while others are choosing to adopt the key management system accompanying their individual applications, databases, and operating environments. To use an application vendor’s key management solution seems reasonable; however, a problem becomes apparent when a business has implemented a half-dozen key management systems for its applications, databases, and operating systems. Assuming the application vendors in the best-case scenario have designed their key management systems securely, there actually can be a higher total cost of ownership (TCO) for the business. Alternatively, in the worst-case scenario, there can be an increase in the odds of a breach as a result of human errors dealing with the complexity of multiple key management schemes.
Where to encrypt? The second problem is insidious. Because all data is eventually stored on storage media such as local computer disks, a storage area network (SAN), or a network-attached storage (NAS), there is a belief that if the encryption/ decryption were to occur within the firmware of the storage media, data at rest is transparently and effectively protected. The same argument is used for encrypting application data within databases and operating systems. If the database/operating system were to perform the encryption/ decryption transparently, users and applications would have to do little to protect data at rest—it would be taken care of by the database or operating system.
Unfortunately, the solution isn’t as simple as it appears. Applications running on computers are a complex collection of software code and hardware, each layered one upon the other. An attacker merely has to compromise any one of the dozens of software modules in the layers above the encryption layer and collect data passing through the stack without having to attack the encryption layer itself.
Solutions. What, then, makes for a reasonable data protection strategy that has a low probability of compromise? First, companies have to address the problems identified in the PricewaterhouseCoopers/CIO survey: They need to know where their data are, who has access, how they are currently being protected, etc. Without this standard configuration management-related information, the problem will never have a boundary that can be controlled.
Second, companies have to rethink their security strategies. An IT organization needs to start protecting sensitive data from the inside out, as opposed to the current strategy of protecting data from the outside in. This requires that data must be “armored” no matter where it is and be decrypted only when an authorized application needs it, and only within the authorized application that needs it. This implies that data must be encrypted and decrypted by the actual applications using them, as opposed to databases, operating systems, and storage media.
Third, companies need to start encrypting more than just credit card numbers, Social Security Numbers, and the like. By encrypting more than just the minimum stipulated sensitive information, a business can potentially ward off attacks against its employees and customers by closing potentially vulnerable pathways to breaches of sensitive data.Finally, businesses should use a single, enterprise-wide key- management system—such as the one being standardized by the OASIS Enterprise Key Management Infrastructure Technical Committee—that can work across all of its applications, databases, and platforms.
For More Information About the Section of Science & Technology Law
- This article is an abridged and edited version of one that originally appeared on page 12 of The SciTech Lawyer, Summer 2008 (5:1).
- For more information or to obtain a copy of the periodical in which the full article appears, please call the ABA Service Center at 800/285-2221 or visit www.thescitechlawyer.com.
- Website: www.abanet.org/scitech.
- Periodicals: The SciTech Lawyer, quarterly magazine; Jurimetrics, quarterly scholarly journal; SciTech E-Merging News, new quarterly electronic newsletter featuring the most up-to-date substantive practice perspectives and news on Section activities and opportunities.
- CLE and Other Educational Programs: The Section offers a variety of CLE opportunities through both in-person sessions and teleconferences throughout the year; visit the Section’s website
for a full calendar of events.
- Books and Other Recent Publications: Foundations of Digital Evidence; Science for Lawyers; Scientific Evidence Review: Admissibility and Use of Expert Evidence in the Courtroom, Monograph 8; Virtual Law: Navigating the Legal Landscape of Virtual Worlds.
Arshad Noor is the chief technology officer of StrongAuth, Inc., a Sunnyvale, California-based company; he may be reached at firstname.lastname@example.org.