Monday, April 18, 2005

Protecting Customer Data, Part II

Click here for AmazonThe rumbling sound you hear -- after the identity theft debacles at ChoicePoint, LexisNexis, and Bank of America -- is Congress mobilizing to take some sort of legislative action to "protect consumers".

Don't get your hopes up, though. The firms involved are, if nothing else, deep-pocketed and possessed of legions of well-lubricated lobbyists. Any resulting legislation will almost certainly be watered down and likely won't pin financial responsibility for bogus identity transactions on the firms themselves.

And we're nowhere close to having a government-administered system (run by, say, DHS) that could serve as a central registrar for identity data -- and could broker merchant-specific IDs for each consumer that would mitigate the risk of theft.

Today's bottom line is that responsibility for protecting consumer data lies with each company holding that data. That said, what can companies do to better protect the data?

Process: processes for managing the data have to be explicitly documented and enforced. Who can create the data? Who can update it or delete it? Who can read it?

People: roles for data access and management must be mapped to the approved processes. For example, consider a hypothetical role called keymaster. The keymaster is responsible for generating, retaining, and monitoring key-pairs used to encrypt and decrypt the consumer data. In other words, a field like SSN is never stored in the clear. It is encrypted using a public-key provided by the keymaster.

Consider another role called application developer. The app-developer never has direct access to the private-keys needed to decrypt sensitive fields. The app-developer uses documented requests (e.g., APIs) to code provided by keymasters to enable an application to decrypt a sensitive field.

Further, a role called auditor could monitor the use of data provided by the keymaster and the app-developer. The auditor has no direct access to the data, but can closely monitor the detailed logs generated by the other roles. The auditor could use manual and automated techniques to discover misuse of data or anomalies in data access. Presumably an auditor would have discovered the anachronistic behavior of the fake vendors who plugged into ChoicePoint's systems.

Technology: Firewalls, intrusion detection, intrusion prevention, network monitoring: in other words, all of the standard mechanisms for network security. But the processes and people that configure and monitor that technology are equally important. Logs, tools, APIs, clear delineation and separation of roles... all come together to provide a synergistic approach to protecting sensitive data.

Tens or hundreds of millions of dollars in market capitalization hang in the balance.

No comments: