When it comes to information security, unfortunately there is no "silver bullet." Instead we use layered security controls, each one compensating for a weakness in the other.
Security would be so much simpler if everyone were honest upright individuals who would obey all the rules and never make mistakes. Then we’d be able to handle most security issues with simple policies.
Sadly, that’s not the world we live in. We do start with policies to establish a standard for expected behavior and to define the consequences for breaking the rules. Policy is the foundation of all good security programs.
Next, we usually layer on various other controls, categorized as management controls, operations controls, and technical controls. This is how the National Institute of Standards and Technology (NIST) has broken down security controls in SP 800-53a, Rev 2. This is a good guideline, establishing standards for applying security in many situations.
But what do you do when technology fails? That is the dilemma facing security professionals every day, and it was recently brought back into the headlines with a newly identified security vulnerability that has the potential to expose encrypted data.
The Data Loss Epidemic
Data loss that leads to the exposure of personal information is a growing problem. According to some statistics, there have been over 10 million identity theft victims in the US alone.
One estimate states that "an identity is stolen every 4 seconds in the US." A brief search shows several websites dedicated to the tracking of data breaches, and they definitely have their work cut out for them.
This year alone there have been 49 publicly reported breaches as of the time of this writing (3/12/2008). In 2007 there were 324 reported breaches, resulting in the loss/exposure of an estimated 162,563,703 records.
This high volume of data breaches led the Office of Management and Budget (OMB) to publish Memorandum 06-16 entitled "Protection of Sensitive Agency Information."
This memo was published following a large data breach (names, Social Security numbers, and dates of birth) by the United States Department of Veterans Affairs, resulting in the exposure of personal data on roughly 26.5 million U.S. military veterans.
The memo refers to various NIST guidance publications and then recommends the following additional actions:
- Encrypt all data on mobile computers/devices that carry agency data unless the data is determined to be non-sensitive, in writing, by the Deputy Secretary or an individual he/she may designate in writing.
- Allow remote access only with two-factor authentication, where one of the factors is provided by a device separate from the computer gaining access.
- Use a "time-out" function for remote access and mobile devices requiring user re-authentication after 30 minutes inactivity.
- Log all computer-readable data extracts from databases holding sensitive information and verify that each extract, including sensitive data, has been erased within 90 days or its use is still required.
These requirements were quickly added to the Federal Information Security Management Act (FISMA) reporting requirements for that period. In an effort to demonstrate its awareness of the problems with such data loss, the OMB included the following statement:
"We intend to work with the Inspectors General community to review these items as well as the checklist to ensure we are properly safeguarding the information the American taxpayer has entrusted to us."
While I have huge problems about the way this was handled (that’s fodder for another article or two) the OMB was at least attempting to provide relevant guidance.