Ulf Mattsson, CTO, Protegrity Corporation: Managing Risk, Understanding the New Options in Data Protection
January 2010 by Ulf Mattsson, CTO, Protegrity Corporation
Accepting the obligation to protect your customers’ data is a part of doing business today. Data security drives customer trust and loyalty, and can preserve the value of your brand and ultimately your bottom line – Protecting your data is protecting your business.
In today’s environment, every business that holds valuable customer data is a potential target for attack. Traffic in stolen consumer credit card data has become big business, and most experts agree that it is inevitable your systems will be attacked at some point. The goal is to fend off the attack and prevent a breach. Any reportable breach is extremely costly, but the question is how to measure the return on an investment made to prevent an attack from succeeding. This white paper will guide you through determining relevant metrics for your organization, as well as a process for developing, deploying and managing a risk adjusted data security plan
The Risk Model
The risks to sensitive data may be unrelated to the costs of a security breach. A risk model will incorporate both inherent (largely uncontrollable) risks as well as highly controllable risks which are related to the policies, procedures and technologies that are specifically put in place to reduce the risks to sensitive data.
Inherent Risks – These risks are related to the nature of the enterprise itself and how it conducts business. Their variability is largely out of the day-to-day control of managers in the enterprise. Fundamental changes to the level of inherent risk would require major changes to the nature of the enterprise.
Operations Risks – These risks to sensitive data have little to do with the data itself or how the data is handled, and have a lot to do with the work environment of the enterprise, from the physical facility to the characteristics of the people who work for the enterprise. The ability to affect the level of operational risks is limited, but they are controllable through senior management decisions.
Policy and Procedure Risks – These risks are all focused on the business processes by which sensitive data is gathered, processed and utilized by the enterprise in order to conduct business. The ability to control these risks is largely the responsibility of the business organization, rather than the IT organization.
Technology Risks – These risks are directly related to the data itself, and the technologies used to increase or reduce the level of risk. The controls over these risks are within the prevue of the IT organization.
In general, data privacy security regulations and enterprise security and privacy policies are designed to reduce policy and procedure risks, as well as technology risks. As a result, the self-test which accompanies this white paper takes into account that most of the controls that management can use to reduce risk are focused on these types of risks to sensitive data.
Measuring the Risks to Confidential Data
There are hundreds of different ways to measure risks to an enterprise, and thousands of different variables to measure. But if the focus is specifically on the risks to confidential data, then the process can be simplified. We have identified 30 factors that we have found to be most closely associated with the internal and external risks to sensitive data. We have built these items into a “self test” that accompanies this white paper. The factors in the self-test have been assigned weightings based on the relative association of the item with the risk to data.
Some risk factors are outside the control of the enterprise, and are due to the nature of the industry and the type of enterprise (private, public, government organization, etc.). For the most part, the risks are known to risk management and security professionals. But part of the task of quantifying the relative risks to confidential data requires the classification of different types of risks so that each type may be weighted and the effectiveness of the controls to reduce each type of risk can be quantified.
Exhibit 1. Risks to Confidential Data
Exhibit 2. Risks to Confidential Data
As a data breach unfolds, events follow a path from discovery to notification to remediation and response. The early steps along the path are carried out in crisis and generally with less than complete information. Costs can quickly spin out of control as your organization strives to do the right thing for your customers while at the same time protecting your organization from liability and further exposure. Stolen records are most valuable while their theft remains undetected or unreported. As a general rule, the longer it takes for your organization to detect and react to a breach, the greater the damages will become.
Detection and Determination of Response
Costs start mounting up in the initial phase of a breach as early as when you suspect something is wrong. Depending on the nature of the attack, you may need to shut down systems, and potentially take your business ‘off line’. You may be carrying out investigations in real time while the risk is still present and the attack is ongoing.
The objective of the data thief is to remain undetected for as long as possible, so your initial investigation will need to look back in system logs and records to determine the extent of the breach and the impact on your business. Operating in this crisis mode is a very disruptive and costly process.
Once you establish that a breach in fact occurred, and the impacted customer records have been identified, the emphasis shifts to determining response. Generally this involves legal advisors, card agencies (if the event is a credit card breach), and internal and external public relations and investor relations personnel. In parallel with the ongoing technical work, the business and legal side of the house needs to swing into action.
Internal technical investigation – costs are based on crisis activities
Legal and external advice
Public relations and investor relations advice and preparation
Affected systems frequently need to be isolated during the initial attack, and potentially taken off line completely. During a recent breach that occurred in one web application of an online merchant, the company under attack discovered that the vulnerability being exploited was also present in several of its other web applications. The result was that the attacked company essentially shut down its entire web presence for more than 24 hours. The lost market presence and lost business was considerable.
Systems shut down – costs driven by lost business and the number of days of being offline
Once it is clear a breach has occurred, and the list of affected customers has been determined, the company shifts into a damage control and action phase. Companies deal with the customer remediation process in different ways based on the nature of the breach, the type of data stolen, and the magnitude of the audience.
Costs mount up very quickly as the company needs to address each and every customer. Breach notification rules provide some guidance on what is required, but in general a customer centric organization will utilize several different channels to reach customers: phone, mail, email, public notice, etc. There is a cost to develop the content of each form of notice, and a cost per client to get the word out.
Many customers will immediately want to communicate with the company to understand their risks and remediation alternatives. In most cases, this will require establishing a call center and providing sufficient training and oversight to ensure a quality response.
For credit and identity oriented breaches, a common response is to provide one or more years of credit watch to the customers. Typically not every customer will take advantage of the offer.
Letters, emails, and phone calls – in addition to development costs, these are measured by number of notices sent.
Call center – setup and training costs, and a cost per incident or call
Credit watch services – fixed cost per year for every client that requires the service
Beyond the initial internal investigation that occurred while discovering the breach, there will undoubtedly be a further internal systems review and likely a more measured set of projects to remediate the systems that were attacked. The scope of this effort can be broad, and will require significant internal investment and cooperation with outside vendors such as assessors, consultants and card agencies.
Particularly in a credit card breach, there is a very high likelihood of fines and penalties that will run for as long as the systems remain vulnerable. The Payment Card Industry states that
“Members are subject to fines, up to $500,000 per incident, for any merchant or services provider that is compromised and not compliant at the time of the incident.” – Source: VISA USA web site
A breach also triggers a heightened obligation for periodic audit and assessment. In the event that the breach triggers litigation, then there are costs associated with defense and investigation as well as any penalties or damages that are assessed.
Internal systems review and remediation – projects and potentially new systems
Fines – levied by the Payment Card Industry or other regulatory organizations
Expanded audit and assessment – more frequency and deeper review
Legal defense and investigation – internal and external professional time
It is a generally accepted fact that the greatest impact from a breach is on the corporate brand. The impact takes different forms, but nearly all of them are negative. The primary impact is lost revenue from a decline in sales to existing and new customers. By some estimates, as high as 60% of customers may re-consider their business relationship with a vendor that has been breached. Beyond the revenue impact, there is also a probable financial market value impact. Many companies have seen their stock price drop in response to publication of a breach.
There is a potential positive brand impact if the company’s response to the breach is swift and professional and complete. Taking the “high road” can work in a company’s favor.
Lost business – declining revenue from new and existing customers
Reduced corporate market value – stock price decline in response to the news and potential liabilities
Halo effect – companies get positive credit for a professional response
Fraudulent Use of Data
If the attacker stole credit or identity data, then the purpose of the theft was to make use of the data for economic gain. Stolen identities and cards are most valuable immediately after they are acquired and before the company or the victims have been able to respond. Many companies are so concerned about their image and their potential liabilities that they delay making notifications and starting the process of recovering from the breach. This is exactly the wrong response, and allows the thief time to gain maximum advantage from the stolen data.
Depending on the nature of the breach and what regulations are in effect, the risk of liability from fraudulent use of stolen data may fall squarely on the organization that was breached. One large retailer is still addressing the ongoing liability of a credit breach that has reached millions of dollars of liability.
Delayed response – the value of stolen data is greatest in the early days of the theft
Liability from use – charge-back of fraudulent use to the responsible party
Developing and Deploying A Risk-Adjusted Data Protection Plan:
1: Know Your Data
Begin by determining the risk profile of all relevant data collected and stored by the enterprise, and then classify that data according to its designated risk level. Data that is resalable for a profit — typically financial, personally identifiable and confidential information — is high risk data and requires the most rigorous protection; other data protection levels should be determined according to the value of the information to your organization and the anticipated cost of its exposure — would your business be impacted? Would it be difficult to manage media coverage and public response to the breach?
There are several models that a business can use to classify data. Larger enterprises will likely want to rely on policy-driven automated tools and leverage data classification projects, if one is in place. Smaller businesses can use the simplest model: assign a numeric value for each class of data; high risk = 5, low risk = 1. Note that this simple method serves as a model to help a business choose the right data security solutions; it is not a substitute for a data classification project.
2: Find Your Data
Data flows through a company, into and out of numerous applications and systems. A complete understanding of this data flow is essential to the risk-adjusted process. You can’t protect data if you don’t know where it is, and assigned risk levels will change depending on how data is being collected, used and stored. High risk data residing in places where many people have access is obviously data that needs the strongest possible protection.
Locate all of the places that data resides including applications, databases, files, and all the systems that connect these destinations such as data transfers across internal and external networks, etc. and determine where the highest-risks reside and who has or can gain access to data (see “Understand your Enemy” below).
Other areas to examine for data stores include your outsourcing partnerships as well as data that is being used for nonproduction purposes such as third-party marketing analysis or in test and engineering environments. It’s not uncommon for organizations to invest in protecting production systems and data centers yet have live data sitting unprotected on the systems of application developers and other outsourced parties. If live production data is being used in a less controlled environment there has to be attention paid to regulatory compliance and security threats. Here, too, data de-identification technologies like Data encryption, Format-Controlling Encryption, and tokens. and tokenization can help.
Step 3: Understand Your Enemy
The next step is conducting an end-to-end risk analysis on the entire environment to identify the highest risk areas in the enterprise ecosystem and the points where data might be exposed to unauthorized users. Currently web services, databases and data-in-transit are at high risk. The type of asset compromised most frequently is online data. Exploiting programming code vulnerabilities, subverting authorized user credentials and malware targeting the application layer and data (rather than the operating system) are the attack methods that are being utilized most frequently. These vectors change so keep an eye on security news sites to stay abreast of current threats.
Most data breaches are caused by external sources but breaches attributed to insiders, though fewer in number, typically have more impact than those caused by outsiders. Nearly three-quarters of the breaches examined in the Verizon Report were instigated by external sources. Unauthorized access via default credentials (usually third-party remote access) and SQL injection (against web applications) were the top types of hacking, access to a network was often followed by malware being planted on the system.
Step 4: Choose Your Defenses
Risk-based security leverages different types of data protection solutions to properly protect different data risk-levels. Look for multi-tasking solutions that provide a complete set of protection technologies that can be deployed when and as needed, in combinations that suit the individual business’ needs, in order to protect data now and quickly address changes in data risk-levels and new threat vectors.
High risk data is best secured using end-to-end encryption or tokenization of individual data fields. Tokenization removes sensitive data from the information flow at the earliest possible point in the process, replacing it with a token that acts as an alias for the protected data. By associating original data with an alias, high-risk data can systematically be removed and protected from malicious hackers over its lifecycle under a fully auditable and controllable process. This practical protection method is perfectly suited for securing high risk data like credit card information and social security numbers.
Newer solutions provide targeted protection for data in use and do not interfere with business processes. For example, Data Format Controlling Encryption retains the original format, on a character-by-character basis, of encrypted data, putting an end to the data re-formatting and database schema changes required by other encryption techniques. It’s especially well-suited to protect data that’s being used for testing or development in a less-controlled environment. Policy-Based Masking provides the ability to mask selected parts of a sensitive asset. Implemented at the database level rather than application level, policy-based Data Masking provides a consistent level of security across the enterprise without interfering with business operations and greatly simplifies data security management chores.
Database Activity Monitoring is an appropriate solution for lower risk data as the data that is monitored is not encrypted. Database Activity Monitoring provides increased visibility as to how people are accessing and using less-critical data. Besides protecting low-risk data, Database Activity Monitoring technology can be used by businesses that are just beginning to roll out a comprehensive data security plan, it’s a great way to begin to get a good feel for who is accessing what data.
Whatever solution you use, ensure that it is properly configured for your environment.
One problem I have encountered with some third party security solutions access checks is that the database must be trusted to provide accurate authentication data. Some third party security solutions do not perform any authentication of its own. The userid retrieved from the SELECT call is simply assumed to be valid.
This may certainly be questionable for an external security system. But using the extended access checks as described here are even more questionable. This is because they are not based on properly authenticated data, only data collected during the authentication process. Even worse, some of them may be set to an arbitrary value by the client process.
Step 5: Deployment
Risk-Adjusted data protection enables enterprises to stage their security roll-out. Focus your initial efforts on hardening the areas that handle critical data and are a high-risk target for attacks. Then continue to work your way down the risk-prioritized list, securing less critical data and systems with appropriate levels of protection.
Security is an ongoing process not a series of events. The level of protection required by data may change according to how it is being collected, transmitted, used and stored. Reevaluate risk levels annually and on an as-needed basis if business processes change. Considerations for File-level Database Encryption
File level Database Encryption (or Table Space encryption) has been proven to be fairly straight forward to deploy and with minimal impact on performance overhead, while providing convenient key management. This approach is cost effective since it installs quickly in a matter of days, utilizes existing server hardware platforms and can easily extend the protection to log files, configuration files and other database output. This approach is the fastest place to decrypt as it is installed just above the file system and encrypts and decrypts data as the database process reads or writes to its database files. This enables cryptographic operations in file system by block chunks instead of individually, row-by-row since the data is decrypted before it is read into the database cache. Subsequent hits of this data in the cache incur no additional overhead. Neither does the solution architecture diminish database index effectiveness, but remember that the index is in clear text and unprotected within the database.
This approach is suitable for protection of low risk data. Be aware of the limitations with this approach in the areas of limited separation of DBA duties. File encryption doesn’t protect against database-level attacks.
Considerations for Column-level Encryption
Column level (full or partial) encryption can provide cost effective protection of data fields/columns in databases. Most applications are not operating on and should not be exposed to all bytes in fields like credit card numbers and social security numbers, and for those that do require full exposure an appropriate security policy with key management and full encryption is fully acceptable. This approach is suitable for protection of high risk data.
Continuous protection via end-to-end encryption at the field level is an approach that safeguards information by cryptographic protection or other field level protection from point-of-creation to point-of deletion to keep sensitive data or data fields locked down across applications, databases, and files - including ETL data loading tools, FTP processes and EDI data transfers. ETL (Extract, Transform, and Load) tools are typically used to load data into a data warehousing environments. This end-to-end encryption may utilize partial encryption of data fields and can be highly cost effective for selected applications like an e-business data flow.
End-to-end encryption is an elegant solution to a number of messy problems. It’s not perfect; field-level end-to-end encryption can, for example, break some applications, but its benefits in protecting sensitive data far outweigh these correctable issues. But the capability to protect at the point of entry helps ensure that the information will be both properly secured and appropriately accessible when needed at any point in its enterprise information life cycle. End-to-end data encryption can protect sensitive fields in a multi-tiered data flow from storage all the way to the client requesting the data. The protected data fields may be flowing from legacy back-end databases and applications via a layer of Web services before reaching the client. If required, the sensitive data can be decrypted close to the client after validating the credentials and data-level authorization.
Step 6: Crunch the Numbers
Risk-adjusted data security plans are cost effective. Among the typical benefits of a risk-adjusted plan is the elimination of the all too common and costly triage security model which is ineffective whether you’re triaging based on compliance needs or the security threat of the moment. Replacing triage with a well thought-out logical plan that takes into account long-range costs and benefits enables enterprises to target their budgets toward addressing the most critical issues.
By switching your focus to a holistic view rather than the all too common security silo methodology, an enterprise naturally moves away from deploying a series of point solutions at each protection point, which results in redundant costs, invariably leaves holes in the process, and introduces complexity that will ultimately cause significant and costly rework.
Additionally, an understanding of where data resides usually results in a project to reduce the number of places where sensitive data is stored. Encrypting the remaining sensitive data according to its risk levels with a comprehensive data protection solution provides the best protection while also giving the business the flexibility it needs.
Although it’s always admirable to get the most for less, it’s important to keep the return on data security investments in perspective. Find the right balance between cost and security by doing a risk analysis. For example field level encryption with good key management may lower the probability of card exposure (for example from 2% to 1% for a given year). A breach cost may be viewed to be $200 per card ($30 - $305 according to Gartner and Forrester, April, 2008). All security spend figures produced by government and private research firms indicate that enterprises can put strong security into place for significantly less expenditure — about 10% the average cost of a breach.