Thursday, June 09, 2005

Protecting Consumer Data

Picture credit:
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThe hits just keep on coming at Citigroup:

In February last year, a magnetic tape with information on about 120,000 Japanese customers of its Citibank division disappeared while being shipped by truck from a data management center in Singapore. The tape held names, addresses, account numbers and balances. It has never turned up.

And this week the company revealed that it had happened again--this time the loss of an entire box of tapes in the care of the United Parcel Service, with personal information on nearly 4 million American customers.

Here are some random thoughts on what every company should strive for when handling consumer data:

Catalog - catalog all sensitive data flowing through your systems, SSNs, dates-of-birth, credit-card and account numbers, etc. Know the fields that you hold and categorize any privacy fields as 'sensitive'.

Encrypt - sensitive data 'at rest' (meaning, on disk) should always be encrypted. Always. If a truck driver loses a backup tape, at least force any blackhat into a massive brute-force attack against it. Shipping around sensitive data in the clear makes about as much sense as handing the keys to a bulldozer and a six-pack to a 16-year old boy.

Key management - when applications or subsystems need access to sensitive data, force them to retrieve keys from another subsystem managed by another department or team. After decryption, force them to purge the keys (i.e., keys are never stored on disk). Log all key access attempts. This division of labor provides checks and balances in terms of access to sensitive data.

Log analysis - analyze the log files. Who has been requesting keys? How often? Do their usage patterns make sense given their roles - or are their statistical anomalies when compared to similar types of users? These are the types of questions that, say, a ChoicePoint should be asking. Oops, I forgot, those issues aren't ChoicePoint CISO Rich Baich's problem.

Processes - are documented processes in place for verifying the categorization of sensitive data, ensuring data at rest is encrypted, managing keys, and analyzing logs? If not, ensure that processes are put in place and that they are followed on a regular basis to ensure the safety of sensitive data.

Audit - is the audit team reviewing the process documents to ensure that the processes are being followed on predetermined schedules?

In short, we're not talking rocket science here. We're describing a relatively simple set of processes and the functional discipline to follow them. Given the financial risks of disclosing consumer data (i.e., check the graph of ChoicePoint's market capitalization), the time has never been better. Or you could simply risk having your organization highlighted on the front page of USA Today - in a non-flattering story.

The scramble to protect personal data

No comments: