|
Lipstick On A Pig
by
Calum Macleod, Western European Director at
Cyber-Ark
As someone that has become
totally engrossed in the upcoming US
elections, Barack Obama’s comment about
Lipstick on a Pig resonated because in my
opinion it just about sums up the approach
to IT security in most enterprises today.
You have SOX, PCI, Basel, ISO or whatever
other policy you can think of and as long as
you carry on doing things in the same old
way you might as well put “lipstick on a
pig”.
Over the past year after countless incidents
of sensitive data loss or misplacement, and
small fortunes being spent to investigate
the how and the why, incidents continue, and
in my opinion this is primarily due to the
failure of organisations to implement the
necessary technologies to ensure the
policies are enforced.
It is, therefore, absolutely essential that
adequate controls are put in place to ensure
that highly sensitive data is protected from
abuse. There are best practice solutions, as
well as commercial solutions, that can
guarantee no matter how resourceful or
determined someone may be, the risk can be
minimized and the opportunity to abuse
sensitive data can be technically
eliminated. The following list can serve as
a useful guideline for accomplishing this.
Secure repository
By creating a secure repository,
sensitive data can be stored in a manner
that provides the data owner, whether that
is an individual or an application, and the
organization complete control over who has
access. Your organization can immediately
eliminate the risk of unauthorized users
gaining access from inside or outside the
network. This also ensures that IT staff are
no longer able to access the data even
although they may be responsible for
managing the system that stores the data.
Common Sense Encryption
Effective but manageable encryption methods
that do not require IT involvement
intervention removes the risk of keys being
exposed to systems staff. Relying on
encryption methods that are complex to use
and manage only increases the vulnerability.
Secure backup
Backing up sensitive and critical data
is crucial, but it can be abused. Every
precaution should be taken when selecting
backup/restore solutions that they are able
to backup the data in its encrypted format.
Too often data is backed up in unencrypted
format and is then open to abuse and theft
Segregation of duties
There must be segregation between IT
staff and data owners. Additionally, there
should be hierarchies within data ownership,
such as dual-control which can enforce
checks and balances to ensure that highly
sensitive data cannot be accessed unless
authorization has been given. If possible
the access to, and responsibility for, data
should be devolved to the relevant
departments, minimizing the number of prying
eyes. For example there is no reason why
anyone outside of HR should have access to
HR data.
Proactive alerting
By having automatic reporting of user
activity, anytime anyone who is authorized
accesses a sensitive file, the management
should be able to have an immediate report
of this activity. By having this at
departmental level ensures that management
can identify potential inappropriate
behaviour at an early stage since they are
aware of the sensitive data under their
control, and can thus identify misuse at an
early stage.
Ultimately it is impossible to eliminate the
abuse of sensitive data by people who are
determined to misuse their position but at
the very least every organization today can
easily and relatively cheaply implement
technology ensure that their procedures is
not just “ an old fish in a piece of paper”.
■
www.cyber-ark.com
Return to
Article listing
|
