Freely subscribe to our NEWSLETTER

One of the primary driving forces behind increased data security is data breaches. Unlike the stereotypical “hacker” of fifteen years ago who was interested only in defacing web sites for notoriety, today’s hacker seeks to steal information for profit.

“...In 2008, this [criminal activity] was accomplished by targeting points of data concentration or aggregation and acquiring more valuable sets of consumer information. The big money is now in stealing personal identification number (PIN) information together with associated credit and debit accounts...”

In a testament to the effectiveness of today’s hackers, Verizon reports that the average breach resulted in approximately 38,000 records breached by external attacks, while internal attacks resulted in approximately 100,000 records breached. Using the Ponemon study’s calculations an average breach resulted in a financial loss of $202 per record and an external compromise resulted, on average, a cost of over $7.5 million. It should be noted that the difference between the number of records compromised varied greatly between internal and external attacks. External attacks can be compared to “black-box” vulnerability assessments, where the actual target – in this case, points of data concentration – is unknown. Similarly, the location of the data, as well as the defenses protecting this data, are unknown to the attacker. Therefore, the attacker must carefully seek out data which would yield the largest payoff and how best to attack that data. Conversely, the internal attacker is acting in a manner similar to a “white-box” vulnerability assessment, in which the entire information technology landscape is often known. In this case, the attacker knows what data is valuable, where it is located, and, how those points of data concentration are defended. For example, the case in January 2008 involving Sociate Generale, in which Jerome Kerviel was able to execute unauthorized trades as a result of his knowledge of the control procedures of the bank.

Among the supporting documentation was a table detailing the various compromised assets by percentage of breaches and records. While the Point of Sale (POS) system has the highest percentage of breaches, accounting for 32%, it only resulted in 6% of the total number of records compromised. In second place according to frequency of breaches was the database server, which experienced 30% of the breaches, yet resulted in 75% of the total number of records compromised. Third on the list was the application server, with 12% of the breaches and 19% of the total records compromised. File servers accounted for 8% of the breaches, yielding 0.1% of the records breached. Although somewhat counter-intuitive, the web server was involved in 10% of the breaches, only yielded 0.004% of the records breached. The remaining assets were far lower on the list of both percentage of breaches and records compromised. With today’s technology, databases typically are the central point of data concentration, followed by the application and file servers.

Breaches, while a strong factor, usually only result in changes to security after the breach has occurred and the company has lost a considerable amount of money. Fortunately for security, it is not the only driving factor. Government regulations and industry standards have been driving forces in developing security standards. Regulations and standards seek to set minimum baselines across a particular industry segment, such as financial services or the medical field. Among the more commonly referenced laws are the California Security Breach Notification Act, (SB 1386), the first law specifically addressing data breaches, and the Massachusetts Privacy Law (201 CMR 17.00), the most recent law which only took effect in March 2010. Both laws have further defined requirements for notifying victims of a breach of personally identifiable information (PII). The Massachusetts law is especially groundbreaking, since it specifically states if any person or entity stores personally identifiable information on a Massachusetts resident, that person or entity must take reasonable steps to protect that information. This includes a wide variety of security controls, including a written security policy, as well as implementing technical and physical controls as necessary to protect PII. At a minimum, regardless of standard or law, PII is typically considered to include the following: (a) name; (b) social security number; (c) address; and (d) some form of account number. For the both of these laws, drivers licenses and other information are also considered to be included as PII.

In addition to state law, there are many industry-specific regulations to which companies and service providers must adhered to. While all of these regulations cover the entire spectrum of information security controls that must be followed, we will limit this article specifically to data protection references. For the health care profession, HIPAA regulations must be considered. HIPAA regulations add medical conditions to the list of PII that must be protected. While stopping short of mandating the use of encryption to protect electronic protected health information, HIPAA strongly encourages the use of a mechanism to encrypt and decrypt electronic protected health information. The HITEC act, which took effect in February 2010, expands the HIPAA regulations to apply to associate service providers rather than just the primary care providers. Under this act, the US Department of Health and Human Services (HSS) and the Federal Trade Commission (FTC) have both been given a role to play under the law, potentially levying punishments and fines on organizations that fail to adequately protect personal health information. For anyone involved in processing credit card information, PCI DSS Standards Requirement 3, Protect Stored Cardholder Data , suggests the use of encryption to protect information that it considers sensitive, which includes full magnetic stripe information, full Primary Account Number (PAN), and Card Verification Value (CVV). Entities regulated by Board of Governors of the Federal Reserve System, Federal Deposit Insurance Company (FDIC) and other entities fall under the Federal Financial Institutions Examination Council (FFIEC) guidelines. These guidelines suggest that sensitive data in transit should also be encrypted. In addition, both the PCI and FFIEC recommend encrypting data both in motion and at rest. Obviously, protecting data at rest, when it is merely stored somewhere, is important so that someone cannot simply compromise the native database files themselves. But it is also important to protect data in motion, as it traverses the network, because, under the right conditions, that information can be read (or “sniffed”) by someone using the proper utilities or programs.

Security best practices offer additional guidance regarding information security. As with the industry-specific guidelines and standards, the ISO 27001 and BS7799 standards cover the entire spectrum of information security controls that should be implemented by an organization. Specific to this article, both ISO27001 and BS7799 require sensitive information to be encrypted when either stored or transmitted.

An information security risk assessment essentially determines what needs to be protected by identifying and documenting: (a) threats, controls, and business impact; (b) gaps in relation to what is required by standards or best practices; (c) compensating controls or accepted risk; and (d) identify controls common to multiple standards. It should be noted that information security risk assessments use similar methodology to document and evaluate all the major information security controls, not just controls pertaining to sensitive data, but that discussion is outside the parameters of this paper.

It is now established that sensitive data must be protected, and encryption is one way of protecting that data. But the question now becomes, does everything need to be encrypted? As most of the regulations and standards have indicated, only sensitive information must be encrypted. But how do you identify what is sensitive and needs to be protected? As the FFIEC guidelines and best practices such as ISO 27001/BS7799 suggest, review the information security risk assessment and identify items and areas classified as requiring encryption.

To summarize, it has been established that the database, application, and file servers are typical points of data concentration that are often attacked by organized crime. These concentrated points of data contain large amounts of sensitive data that must be protected in accordance with a vast array of legislation, standards, and guidelines. Encryption is one way of protecting sensitive data.

Encryption, while offering many advantages in protecting against data leakage and physical theft of the device on which the information resides, involves a number of considerations. First, in traditional encryption technologies such as asymmetric (public/private key pairs) and symmetric (private key) technologies, both the distribution of keys and the keys themselves must be heavily protected. Also, the wrong choice of configuration may lead to slow response times, additional disk space requirements, and impact upon legacy applications. Fortunately, there are newer technologies available today to help greatly minimize these potential issues.

Until recently, security experts believed the best way to defend data was to apply the strongest possible technological protections to all of the data, all of the time. While that plan may work perfectly in theory, this model creates unacceptable costs, performance and availability problems.

What works from both IT and management standpoints? Risk-adjusted data security. Protecting data according to risk enables organizations to determine the most significant security exposures, target budgets towards addressing the most critical issues, strengthen the security and compliance profile, and achieve the right balance between business needs and security demands.

Other issues that risk-adjusted security addresses are the unnecessary expenses, availability problems and system performance lags that result when data is over-protected. Cloud-based technologies, mobile devices and the distributed enterprise require a risk mitigation approach to security. This focuses on securing mission critical data, rather than the now-unachievable ‘protect all the data at all costs’ model of the past.

Risk-adjusted data security plans are cost effective. Among the typical benefits of a risk-adjusted plan is elimination of the common and costly ineffective triage security model. Replacing triage with a well thought-out logical plan that takes into account long-range costs and benefits enables enterprises to target their budgets toward addressing the most critical issues.

By switching focus to a holistic view rather than the common security silo methodology, an enterprise will naturally move away from deploying a series of point solutions at each protection point. Results in redundant costs, invariably leaves holes in the process, and introduces complexity that will ultimately cause significant and costly rework.

Additionally, understanding where data resides usually results in a project to reduce the number of places where sensitive data is stored. Once the number of protection points has been reduced, a project to encrypt the remaining sensitive data with a comprehensive data protection solution provides the best protection while also giving the business the flexibility it needs.

In conclusion, while encryption is not a “silver bullet”, it should be implemented as an integral part of a “defense-in-depth” strategy.

(1) 2009 Verizon Data Breach Report prepared by Verizon Business, http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf

(2) Ibid.

(3) Fourth Annual US Cost of Data Breach Study, Ponemon Institute, http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009%20US%20Cost%20of%20Data%20Breach%20Report%20Final.pdf
New York Times, February 21, 2008, http://www.nytimes.com/2008/02/21/business/worldbusiness/21bank.html

(4) 2009 Verizon Data Breach Report, prepared by Verizon Business, Table 9.