Protecting Data

The Case for Protecting Data

Previously, I discussed the importance of protecting your digital identity, and offered some best practices to follow.

Protecting your digital identity — the keys to the safe — is important, but it is equally important to protect any data –the contents of the safe, especially if you can render any data unreadable if lost or stolen.

Financial Exposure

Security software maker Symantic commissioned a study to estimate the cost of data breaches. The research was conducted independently by the Ponemon Institute, and surveyed 277 global companies. They estimated that data breaches in the US during 2013 cost an average of $188 per record!

Benchmark research sponsored by Symantec, Independently Conducted by Ponemon Institute
Benchmark research sponsored by Symantec, Independently Conducted by Ponemon Institute

Using the 2010 hacking of Ohio State University as an example, a hacker stole the personal information of 760,000 current and former faculty, students, and applicants. At the time, OSU estimated the cost at $4 million dollars, or $5.26 per record. Whether the OSU example is the low-end of the extreme, or the Symantec study is the high-end, the fact is that lost data is a high dollar cost, and a high reputation cost.

Keep your Job

Lose data? Lose your job. Just a few examples of Information Technology leaders who resigned or were fired following data breaches:

Stay out of Jail

Provisions in HIPAA — the Health Insurance Privacy and Accountability Act — make it illegal to share patient information. The first known prosecution was reported in February of 2012. In the event that someone storing patient information (e.g. an insurance company) wants to share data with someone (e.g. a wellness program management company for those insured), a business associate agreement (BAA) must be signed between the two companies that clarifies what data will be shared and how it will be protected. In the event of a data breach, the signers of the agreement are subject to federal criminal charges in the United States.

Peace of Mind

The examples above were all in a work context, and involved multiple actors. But what about you? Do you have a spreadsheet on your home computer with the personal information of your partner and children? How about with all of your bank account information? What if a hacker lifted that off of your computer while you were sleeping, and undid years of planning and sacrifice in moments? With a modest amount of time and education, you can leverage some amazing tools and technologies to protect yourself to the best of your ability, and drastically reduce your personal risk of lost data.

The Three States of Data

Electronic information can exist in three separate states, just as water’s state can be changed to ice or steam:

Data In Use

This is data you are currently working on, for example Word documents, Excel spreadsheets, or a photo you are editing. This includes both files on a disk drive, and their representation in the computer’s memory.

Data In Transit

Simply put: information moving between two places. If you email someone an Excel workbook, that is an example of data in transit. Filling out a form on a website and pushing ‘submit’ is another example.

Data At Rest

When data is not being used or moved, it is considered to be at rest. This is your Excel workbook sleeping soundly on your home computer. It might also be a backup tape containing a database, which could contain customers, patients, partners, or taxpayers.

Technologies and Practices to Protect Data

Even smart technologists can make dumb mistakes using great tools. Understanding how to protect data in all three states, and following a few best practices, can drastically improve security.

The examples are not intended to be exhaustive, but a starting point as you investigate categories of tools and technologies.

Transport Encryption

Transport encryption is designed to protect data in transit, as it moves between systems, by making the information unreadable to any nosy third parties (foreign or domestic). Many tools are preloaded on computers and mobile devices, like support for the SSL/TLS protocol which secures our web browsers. Most websites (HTTP) work by sending plain text over the Internet, to your browser, which reads the information sent and renders it to look as it was intended. When no encryption is used, everything is sent as clear text, and every single system between the source and destination can read the contents. If you are ever given the option to use SSL/TLS, always say yes. Even in the face of a bug like Heartbleed, transport encryption with a gaping security hole is better than no transport encryption at all. The overhead of using secure transport like SSL is so nominal in 2014, there is absolutely no reason to opt out. On the projects that I manage, I require systems  with any meaningful information — sensitive or not — to require SSL for all communication. Since the Heartbleed bug was discovered, Google has required HTTPS to use GMail.

Secure File Transfer

Just as HTTP (hypertext transfer protocol) sends information between systems in plain-text, so too does FTP (file transfer protocol) and Telnet (remote terminal session). In 2000, when people would say, “we’ll exchange data with the bank over FTP”, cold chills would run down my spine. In 2014, when people talk about sending files over FTP, or using Telnet, I want to take their computer away from them, replace it with an Etch-a-sketch, and ban them from ever using one. FTP and Telnet the most irresponsible technology decision you could ever make. There is no excuse for it, and no practical application for it. For more than 15 years, operating systems have shipped with comparable tools that support encrypted communication, with absolutely no learning curve compared to their insecure cousin:

  • Secure Shell (SSH) is a secure replacement for Telnet. Unless you are a systems administrator using Telnet to test if a server is listening on a particular port, you have no reason to ever, ever, ever use that command.
  • Secure Copy (SCP) and Secure FTP (SFTP) encrypt the communication between systems as files are exchanged, ensuring the contents cannot be read by a third party.

The overhead incurred by using the secure version of each tool is nearly zero, and should not factor into your decision. Stop using Telnet and FTP. Stop saying Telnet and FTP — it’s the equivalent of yelling “mug me” in Times Square, even if you’re talking to yourself.

File and Disk Encryption

File and Disk Encryption are designed to protect data in use and data at rest. If you lose custody of your file or disk (e.g. your transport encryption was  hacked, or your laptop was stolen), this ensures that whomever has your data cannot read your data.

File Encryption

PGP (pretty good privacy) is just one popular tool used to encrypt and decrypt files. Exporting sensitive information from a system of record (e.g. patient information) into something like MS Excel is so egregious, you should be banned from ever using a computer again. That is a very common way in which data breaches happen. If you absolutely must keep sensitive information in a text file or Excel, they should be encrypted to ensure they are unreadable if you lose them (or a copy of them). Find a tool you like, learn it, and use it. Chances are there is at least one such tool on your computer.

Whole Disk Encryption

Encrypt your entire hard drive, making the contents unreadable unless you login and unlock it:

If you have a recent Apple or Windows laptop, I strongly recommend enabling whole disk encryption (WDE). If the IT folks in Washington State had enabled WDE, they would not be embarrassed to read on Consumerist that they sold laptops with personal information on them!

Transparent Data Encryption

When relational database engines like Oracle, SQL Server, and MySQL are shut down, the contents of those databases are stored on the server’s hard drive as a flat file. While there are some basic security counter-measures in place, a skilled DBA can easily crack those open and access the contents of the database.

Transparent Data Encryption (TDE) encrypts database and transaction log files in the background. When the database is shut down, the contents are unreadable and inaccessible, even when backed up to tape. In the event that a backup tape of your database is lost or stolen, your data cannot be read or recovered by anyone.

Both Oracle and Microsoft include tools that support TDE, and third-parties like Gazzang zNcrypt add TDE support for MySQL.

Data Backups

It’s one thing to have a recent backup of your computer, but where do you keep it, and is it encrypted or not? It’s one thing to have a recent backup of your computer, but where do you keep it, and is it encrypted or not?

Do you have recent backups?

When is the last time you backed up your mobile devices and computers? When is the last time you tested your backups to ensure they were readable and recoverable?

Where are your backups kept?

Ideally, one keeps a backup onsite in a fireproof safe, and one offsite. This could be two external hard drives, under $100 each, that you rotate between a small home fire safe and a safe deposit box at your bank.

Are your backups encrypted at rest?

Misplaced and stolen server backups are one of the greatest causes of identity theft. For businesses and individuals, it is important to use whole disk encryption on your backup drives, and transparent data encryption for your backups, rendering them unreadable to whomever finds them. Misplaced and stolen server backups are one of the greatest causes of identity theft. For businesses and individuals, it is important to use whole disk encryption on your backup drives, rendering them unreadable to whomever finds them.

Conclusion

The only thing worse than losing your data is discovering someone else has your data. Educate yourself on the merits of data protection, and the cost of ignoring those risks. There are numerous free and commercial tools to protect your data while in use, in transit, and at rest. Follow good data protection practices to minimize the chance of losing  data, and potentially losing your job or going to jail.