Security and compliance: danger lurks for stored data.Today's companies are both highly regulated and highly dependent upon their digital assets. This dual challenge is monumental--public examples of security breaches are all over the news. The table below shows some recent examples of security breaches and their consequences: (See Table 1) These are cases of data being at risk, not of data being fraudulently used. In all cases the stolen data included the names of the affiliated consumers. The price corporations pay for storage security that does not work is high. Trust is eroded and corporate compliance authorities are increasingly levying stiff fines for failure to comply with specific instructions as to the treatment of stored data. Furthermore, safeguarding stored data is hamstrung by the fact that storage networks grew up outside the security umbrella that developed around other assets other assets Assets of relatively small value. For financial reporting purposes, firms frequently combine small assets into a single category rather than listing each item separately. . This means storage network security is usually much weaker than the data's value merits. What can corporations do when hackers are able to eavesdrop eaves·drop intr.v. eaves·dropped, eaves·drop·ping, eaves·drops To listen secretly to the private conversation of others. , tamper To meddle, alter, or improperly interfere with something; to make changes or corrupt, as in tampering with the evidence. and impersonate im·per·son·ate tr.v. im·per·son·at·ed, im·per·son·at·ing, im·per·son·ates 1. To assume the character or appearance of, especially fraudulently: impersonate a police officer. 2. data with increasing ease and effectiveness? Safeguarding stored data has always been challenging, but in a world where information is digital more than ever, and where compliance directives are increasingly more demanding, an effective data storage security strategy is a key aspect of doing business today. Backup Must Take Security into Consideration Most executives and IT professional still think that their most important data is protected because it is backed up on a secured disk or tape. Unfortunately, they don't realize that they are extremely vulnerable--someone may have been able to interfere with the data while it was transferred and/or resting in storage media. The result is stolen information and compromised data, leading to a highly insecure situation for firms required to safeguard increasing amounts of private information, and for longer periods of time, as mandated by regulation that includes severe penalties for compliance failure. Backup and restore technologies may have made impressive strides, but without a security component integrated into storage, firms are exposed and vulnerable. An Insecure World: Risky Network Data Exchange, Unsafe Data on Backup Storage A storage device used to hold copies of data for backup and recovery. In the IT world, tape drives and tape libraries have been the traditional backup storage medium; however, magneto-optic (MO) and other optical discs as well as regular magnetic disks are also used. See LAN free backup. In today's digital world, most data movement, including backup, recovery and archival of business critical information, is done over the network and uses the Transmission Control Protocol/Internet Protocol (TCP/IP TCP/IP in full Transmission Control Protocol/Internet Protocol Standard Internet communications protocols that allow digital computers to communicate over long distances. ). TCP/IP allows information to be sent from one computer to another through a variety of intermediate computers and separate networks before it reaches its destination. The great flexibility of TCP/IP has led to its worldwide acceptance as the basic Internet and intranet communications protocol Hardware and software standards that govern data transmission between computers. The term "protocol" is very generic and is used for hundreds of different communications methods. A protocol may define the packet structure of the data transmitted or the control commands that manage the . At the same time, the fact that TCP/IP allows information to pass through intermediate computers makes it possible for a third party to interfere in the following ways: Eavesdropping Secretly gaining unauthorized access to confidential communications. Examples include listening to radio transmissions or using laser interferometers to reconstitute conversations by reflecting laser beams off windows that are vibrating in synchrony to the sound in the room. The information remains intact, but its privacy is compromised. For example, someone could learn credit cards numbers or intercept confidential information Noun 1. confidential information - an indication of potential opportunity; "he got a tip on the stock market"; "a good lead for a job" steer, tip, wind, hint, lead while it is sent from a remote site to the backup server A computer in a network used to store copies of files from client machines or other servers. Such servers typically have their disks set up in a RAID configuration to provide fault tolerance. See backup program, RAID, SAN and LAN free backup. . Tampering tampering The adulteration of a thing. See Drug tampering. The information in transit is intercepted and changed, or replaced and then sent to the destination. For example, someone could intercept a quarterly financial report while it is backed up, modify the financial statement and after it has been modified, and send it to the backup server. If an audit is done few years later and the recovered data is false, the company risks a significant fine. Impersonation Impersonation Patroclus wore the armor of Achilles against the Trojans to encourage the disheartened Greeks. [Gk. Lit.: Iliad] Prisoner of Zenda, The The information reached a person who took the identity of the intended recipient. Impersonation can take two forms: 1) Spoofing (1) Faking the sending address of a transmission in order to gain illegal entry into a secure system. See e-mail spoofing. (2) Creating fake responses or signals in order to keep a session active and prevent timeouts. (a person pretends to be someone else), and 2) Misrepresentation misrepresentation In law, any false or misleading expression of fact, usually with the intent to deceive or defraud. It most commonly occurs in insurance and real-estate contracts. False advertising may also constitute misrepresentation. (a person or organization can misrepresent mis·rep·re·sent tr.v. mis·rep·re·sent·ed, mis·rep·re·sent·ing, mis·rep·re·sents 1. To give an incorrect or misleading representation of. 2. itself). These threats are attacking data in transfer or stored on any kind of storage media because most data protection and storage management solutions available on the market today only offer basic encryption. It isn't enough. Only advanced security mechanisms will prevent all the threats described above. And these threats will continue unabated, because firms must back up over both secured and unsecured networks all sensitive and business critical information--or risk significant compliance fines and negative consumer publicity. Since data must be stored on disk or tapes for multiple years, IT administrators are further challenged to ensure that during the retention period required by the regulations or the company policy, the data will not be accessible by unauthorized parties. Highly Secure Backup Architecture The threats to stored data--in transit and at rest in storage media--as well as the fallout from data violated while in the backup and storage process, are undeniable. But the challenge becomes deeper upon closer consideration. Firms know that the amount of digital information created everyday is increasing exponentially and as a consequence, the amount of information that needs to be backed up is growing at the same speed. This increase creates headaches for IT administrators who have to constantly add storage space to their data protection infrastructure, adjust retention periods depending on the type of data protected and ensure that the data has been well backed up to the server without alteration, ad infinitum ad in·fi·ni·tum adv. & adj. To infinity; having no end. [Latin ad, to + . On top of that, as identified above, the security threats that network communications are exposed to are becoming increasingly insidious and invasive, with the data protection space an increasingly inviting and at-risk target. Any secure data protection infrastructure needs to perform the following: * Protect the privacy of the information while it is in transit * Protect the privacy of the information while it is stored * Ensure that the information has not been altered during transport * Ensure that the information has not been tampered with by unauthorized users * Ensure that all activities are recorded for potential audit or misuse tracking * Ensure that a specific type of information will be retained for the right amount of time depending on applicable company policy or regulations * Ensure that the information will be removed from the backup media as the regulation requires To be truly effective, a secure data protection infrastructure must provide easy deployment and maintenance for the administrator, no major effort or change in end-user backup and recovery habits, scalability, and 100% administrator control. Firms Will Be In Compliance With Advanced Security Measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security Compliance and security are now inextricably in·ex·tri·ca·ble adj. 1. a. So intricate or entangled as to make escape impossible: an inextricable maze; an inextricable web of deceit. b. linked. When companies look to ensure that they will comply with a specific regulation, they must look beyond data retention to a highly secure environment. Efficiently storing data for a long time, and enabling quick and easily retrieval is a good and necessary start, but only the beginning. A strategy for ensuring that the privacy of the information is well protected, that it has not been tampered with or was not altered while sent to the storage media, is just as important. Security and compliance can no longer be separated. Companies must expect to retain certain sensitive personal information for decades, while making sure the data remains private. This privacy requirement demands that the right level of encryption be applied to the protected information. Tape isn't the only vulnerable media: the same issue will be seen with disk backup, as hackers always find ways to enter into a private network and access information stored on disks. Firms will also be expected by compliance authorities to generate activity trails that prove data has not been tampered with, and that information was accessed only by authorized users. A system able to track and record all activity needs to be implemented in order to answer this requirement. The best way to ensure that information will not be altered while transferred over the network is to implement advanced cryptographic solutions. Public-Key Cryptography public-key cryptography - public-key encryption Addresses the Compliance Challenge Cryptography is the science of using mathematics to encrypt and decrypt To convert secretly coded data (encrypted data) back into its original form. Contrast with encrypt. See plaintext and cryptography. data. Cryptography enables you to store sensitive information or transmit it across unsecured networks (like the internet) so that it cannot be read by anyone except the intended recipient. Today, a set of well established techniques and standards based on cryptographic concepts known as Public-key Cryptography make it relatively easy to take precaution against the threats described above. The technologies utilized by public-key cryptography include: Encryption & Decryption (cryptography) decryption - Any procedure used in cryptography to convert ciphertext (encrypted data) into plaintext. . Encryption is the process of transforming information so it is unintelligible UNINTELLIGIBLE. That which cannot be understood. 2. When a law, a contract, or will, is unintelligible, it has no effect whatever. Vide Construction, and the authorities there referred to. to anyone but the intended recipient. Decryption is the process of transforming encrypted information so that it is intelligible again. A cryptographic algorithm, also called a cipher cipher: see cryptography. (1) The core algorithm used to encrypt data. A cipher transforms regular data (plaintext) into a coded set of data (ciphertext) that is not reversible without a key. , is a mathematical function A rule for creating a set of new values from an existing set; for example, the function f(x) = 2x creates a set of even numbers (if x is a whole number). used for encryption or decryption. In most cases, two related functions are employed, one for encryption, the other one for decryption. In modern cryptography, the ability to keep encrypted information secret is not based on the cryptographic algorithm, which is widely known, but on a number called a key that must be used with the algorithm to produce an encrypted result or to decrypt previously encrypted information. Digital Signature. A digital signature is a type of method for authenticating digital information and ensuring that it has not been altered before reaching its destination. It is analogous to ordinary physical signatures on paper, but implemented using techniques from the field of public-key cryptography. A digital signature method generally defines two complementary algorithms, one for signing and the other for verification, and the output of the signing process is also called a digital signature. Digital Certificate. A digital certificate is an electronic document used to identify an individual, a server, a company or some other entity and to associate this entity with a public key. It provides generally recognized proof of a person's or server's identity. Authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. . Authentication is the process of confirming an identity. Client authentication is essential to network security within most intranets or extranets. Two forms of authentication are available: Password-based authentication. Almost all server software permits client access authentication The introduction to this article provides insufficient context for those unfamiliar with the subject matter. Please help [ improve the introduction] to meet Wikipedia's layout standards. You can discuss the issue on the talk page. by means of a name and password. Certificate-based authentication. Client authentication based on certificates is part of the SSL (Secure Sockets Layer) The leading security protocol on the Internet. Developed by Netscape, SSL is widely used to do two things: to validate the identity of a Web site and to create an encrypted connection for sending credit card and other personal data. protocol. The client digitally signs a randomly generated piece of data and sends both the certificate and the signed data across the network. The server uses techniques of public-key cryptography to validate the signature and confirm the validity of the certificate. A secure data protection solution utilizing public-key cryptography will help to ensure confidentiality of the backed up information, because the data can only be recovered and read by authorized persons, as well as ensure authenticity of the recovered information to confirm that it has not been modified in transit while it was being backed up or restored. This is done by digitally signing the data using a hash function An algorithm that turns a variable-sized amount of text into a fixed-sized output (hash value). Hash functions are used in creating digital signatures, hash tables and short condensations of text for analysis purposes (see hash buster). . In addition, IT will need to identify the origin of the data, using authentication to verify the recipient of the information (the backup server or the person who is performing a restore operation) as well as determine its origin and confirm the sender's identity. Businesses will also need to include a means to ensure recognition, because it will safeguard against a sender from claiming at a later date that the information was never sent. This is accomplished using digital certificates and by recording activity on the data. By integrating security components and mechanisms into a backup environment, business maintains the confidentiality of the backed up data during transmission and storage, and can prove that the data was not altered during transmission to and from the storage media. This ensures that the business never compromises the integrity of stored data, and is never at risk of failing to adhere to adhere to verb 1. follow, keep, maintain, respect, observe, be true, fulfil, obey, heed, keep to, abide by, be loyal, mind, be constant, be faithful 2. compliance requirements Compliance requirements are a series of directives established by United States Federal government agencies that summarize hundreds of Federal laws and regulations applicable to Federal assistance (also known as Federal aid or Federal funds). . Traditional protections such as encryption are necessary, but insufficient by themselves. In order to protect critical data, companies must choose stronger encryption algorithms integrated with digital signatures, key management, and compliance policy enforcement. Francois Gauthier is the chief technology officer of Atempo, Inc. (Palo Alto Palo Alto, city, California Palo Alto (păl`ō ăl`tō), city (1990 pop. 55,900), Santa Clara co., W Calif.; inc. 1894. Although primarily residential, Palo Alto has aerospace, electronics, and advanced research industries. , CA). www.atempo.com
Table 1.
Number of people Affected
Company Date Announced affected Data
Bank Of 02/25/2005 Holders of as many Social Security
America as 1.2 million Numbers
federal government
charge cards
Ameritrade, 04/19/2005 About 200,000 Varies by customer
Online current and former
discount customers from 2000
stock broker to 2003
Time Warner, 05/02/2005 About 600,000 Social Security
Media current and former numbers and
coglomerate US employees back details on
to 1986 beneficiaries and
dependants
Company Security Breach Response
Bank Of Computer backup tapes were Contacted federal
America were lost authorities, then consumers
Ameritrade, Backup computer tape was Notified affected customers
Online lost in shipping
discount
stock broker
Time Warner, Backup computer tape was Notified those affected
Media lost in shipping by an
coglomerate outside data-storage
company
|
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion