The Case for Protecting Data
Previously, I discussed the importance of protecting your digital identity, and offered some best practices to follow.
Protecting your digital identity — the keys to the safe — is important, but it is equally important to protect any data –the contents of the safe, especially if you can render any data unreadable if lost or stolen.
Security software maker Symantic commissioned a study to estimate the cost of data breaches. The research was conducted independently by the Ponemon Institute, and surveyed 277 global companies. They estimated that data breaches in the US during 2013 cost an average of $188 per record!
Using the 2010 hacking of Ohio State University as an example, a hacker stole the personal information of 760,000 current and former faculty, students, and applicants. At the time, OSU estimated the cost at $4 million dollars, or $5.26 per record. Whether the OSU example is the low-end of the extreme, or the Symantec study is the high-end, the fact is that lost data is a high dollar cost, and a high reputation cost.
Keep your Job
Lose data? Lose your job. Just a few examples of Information Technology leaders who resigned or were fired following data breaches:
- In 2006, Ohio State University also leaked the information of 136,000 Alumni. CIO William Sams resigned, and two employees were fired.
- In the 2010 Ohio State University example above, CIO Kathy Starkroff resigned 2 1/2 years after that data breach, though her legacy is marred by it.
- Utah CIO Steve Fletcher resigned following the 2012 discovery that a weak password allowed hackers to break through the department’s security and steal the personal information of as many as 780,000 people.
- Target CIO Beth Jacob resigned following a massive breach of their customer’s credit cards and personal information, which was caused by an HVAC contractor using a weak password!
Stay out of Jail
Provisions in HIPAA — the Health Insurance Privacy and Accountability Act — make it illegal to share patient information. The first known prosecution was reported in February of 2012. In the event that someone storing patient information (e.g. an insurance company) wants to share data with someone (e.g. a wellness program management company for those insured), a business associate agreement (BAA) must be signed between the two companies that clarifies what data will be shared and how it will be protected. In the event of a data breach, the signers of the agreement are subject to federal criminal charges in the United States.
Peace of Mind
The examples above were all in a work context, and involved multiple actors. But what about you? Do you have a spreadsheet on your home computer with the personal information of your partner and children? How about with all of your bank account information? What if a hacker lifted that off of your computer while you were sleeping, and undid years of planning and sacrifice in moments? With a modest amount of time and education, you can leverage some amazing tools and technologies to protect yourself to the best of your ability, and drastically reduce your personal risk of lost data.
The Three States of Data
Electronic information can exist in three separate states, just as water’s state can be changed to ice or steam:
Data In Use
This is data you are currently working on, for example Word documents, Excel spreadsheets, or a photo you are editing. This includes both files on a disk drive, and their representation in the computer’s memory.
Data In Transit
Simply put: information moving between two places. If you email someone an Excel workbook, that is an example of data in transit. Filling out a form on a website and pushing ‘submit’ is another example.
Data At Rest
When data is not being used or moved, it is considered to be at rest. This is your Excel workbook sleeping soundly on your home computer. It might also be a backup tape containing a database, which could contain customers, patients, partners, or taxpayers.
Technologies and Practices to Protect Data
Even smart technologists can make dumb mistakes using great tools. Understanding how to protect data in all three states, and following a few best practices, can drastically improve security.
The examples are not intended to be exhaustive, but a starting point as you investigate categories of tools and technologies.
Transport encryption is designed to protect data in transit, as it moves between systems, by making the information unreadable to any nosy third parties (foreign or domestic). Many tools are preloaded on computers and mobile devices, like support for the SSL/TLS protocol which secures our web browsers. Most websites (HTTP) work by sending plain text over the Internet, to your browser, which reads the information sent and renders it to look as it was intended. When no encryption is used, everything is sent as clear text, and every single system between the source and destination can read the contents. If you are ever given the option to use SSL/TLS, always say yes. Even in the face of a bug like Heartbleed, transport encryption with a gaping security hole is better than no transport encryption at all. The overhead of using secure transport like SSL is so nominal in 2014, there is absolutely no reason to opt out. On the projects that I manage, I require systems with any meaningful information — sensitive or not — to require SSL for all communication. Since the Heartbleed bug was discovered, Google has required HTTPS to use GMail.
Secure File Transfer
Just as HTTP (hypertext transfer protocol) sends information between systems in plain-text, so too does FTP (file transfer protocol) and Telnet (remote terminal session). In 2000, when people would say, “we’ll exchange data with the bank over FTP”, cold chills would run down my spine. In 2014, when people talk about sending files over FTP, or using Telnet, I want to take their computer away from them, replace it with an Etch-a-sketch, and ban them from ever using one. FTP and Telnet the most irresponsible technology decision you could ever make. There is no excuse for it, and no practical application for it. For more than 15 years, operating systems have shipped with comparable tools that support encrypted communication, with absolutely no learning curve compared to their insecure cousin:
- Secure Shell (SSH) is a secure replacement for Telnet. Unless you are a systems administrator using Telnet to test if a server is listening on a particular port, you have no reason to ever, ever, ever use that command.
- Secure Copy (SCP) and Secure FTP (SFTP) encrypt the communication between systems as files are exchanged, ensuring the contents cannot be read by a third party.
The overhead incurred by using the secure version of each tool is nearly zero, and should not factor into your decision. Stop using Telnet and FTP. Stop saying Telnet and FTP — it’s the equivalent of yelling “mug me” in Times Square, even if you’re talking to yourself.
File and Disk Encryption
File and Disk Encryption are designed to protect data in use and data at rest. If you lose custody of your file or disk (e.g. your transport encryption was hacked, or your laptop was stolen), this ensures that whomever has your data cannot read your data.
PGP (pretty good privacy) is just one popular tool used to encrypt and decrypt files. Exporting sensitive information from a system of record (e.g. patient information) into something like MS Excel is so egregious, you should be banned from ever using a computer again. That is a very common way in which data breaches happen. If you absolutely must keep sensitive information in a text file or Excel, they should be encrypted to ensure they are unreadable if you lose them (or a copy of them). Find a tool you like, learn it, and use it. Chances are there is at least one such tool on your computer.
Whole Disk Encryption
Encrypt your entire hard drive, making the contents unreadable unless you login and unlock it:
- Apple’s FileVault2 – works for laptops, removable drives, and Time Machine backup drives
- Microsoft Bitlocker
- Symantec File Encryption
- VMWare Virtual Disk Encryption
If you have a recent Apple or Windows laptop, I strongly recommend enabling whole disk encryption (WDE). If the IT folks in Washington State had enabled WDE, they would not be embarrassed to read on Consumerist that they sold laptops with personal information on them!
Transparent Data Encryption
When relational database engines like Oracle, SQL Server, and MySQL are shut down, the contents of those databases are stored on the server’s hard drive as a flat file. While there are some basic security counter-measures in place, a skilled DBA can easily crack those open and access the contents of the database.
Transparent Data Encryption (TDE) encrypts database and transaction log files in the background. When the database is shut down, the contents are unreadable and inaccessible, even when backed up to tape. In the event that a backup tape of your database is lost or stolen, your data cannot be read or recovered by anyone.
Both Oracle and Microsoft include tools that support TDE, and third-parties like Gazzang zNcrypt add TDE support for MySQL.
It’s one thing to have a recent backup of your computer, but where do you keep it, and is it encrypted or not? It’s one thing to have a recent backup of your computer, but where do you keep it, and is it encrypted or not?
Do you have recent backups?
When is the last time you backed up your mobile devices and computers? When is the last time you tested your backups to ensure they were readable and recoverable?
Where are your backups kept?
Ideally, one keeps a backup onsite in a fireproof safe, and one offsite. This could be two external hard drives, under $100 each, that you rotate between a small home fire safe and a safe deposit box at your bank.
Are your backups encrypted at rest?
Misplaced and stolen server backups are one of the greatest causes of identity theft. For businesses and individuals, it is important to use whole disk encryption on your backup drives, and transparent data encryption for your backups, rendering them unreadable to whomever finds them. Misplaced and stolen server backups are one of the greatest causes of identity theft. For businesses and individuals, it is important to use whole disk encryption on your backup drives, rendering them unreadable to whomever finds them.
The only thing worse than losing your data is discovering someone else has your data. Educate yourself on the merits of data protection, and the cost of ignoring those risks. There are numerous free and commercial tools to protect your data while in use, in transit, and at rest. Follow good data protection practices to minimize the chance of losing data, and potentially losing your job or going to jail.