Data Security Concepts

With massive amounts of information transferred and processed in the Cloud every day, protecting sensitive data has become more critical than ever, and more difficult to achieve.  Traditionally, standard security programs are used to limit access to files or directories, and passwords are trusted to keep data safe.  This singular approach to security leaves businesses open to serious risk.

Three areas of primary concern for moving data to the Cloud are as follows.

- Unauthorized exposure of data caused by internal customer operations
- Unauthorized exposure of data caused by cloud provider operations
- Unauthorized exposure of data caused by transport eavesdropping

In a series of blog posts, Gartner identified encryption as a key foundation for Cloud security and discussed the importance of proper management of handling of encryption keys.

When data is encrypted, the location of the data doesn’t matter (including in the Cloud).  The location and management of the decryption keys is what matters.

Source: Gartner, Neil MacDonald, July 2009

GoldKey utilizes an innovative key management system which is securely built into the hardware of USB tokens.  This advancement in encryption key management is accomplished through patent-pending technology called HSP (Hierarchical Security Protocol).  As a result, enterprises may effectively deploy GoldKey tokens as a Cloud Security Key.

A recent study by Ponemon Institute revealed that data breaches are costing hospitals billions of dollars annually.  The passage of the HITECH Act in 2009 widened the scope of privacy and security protections under HIPAA to provide stronger safeguards for patient data.  This includes notification to patients when their information is breached.

The findings of this study highlight the importance of proper security measures, the lack of which can have significant impacts to the bottom line of healthcare organizations.

Key findings of the research:

• Data breaches are costing the healthcare system billions. The total economic burden created by data breaches on the healthcare industry is nearly $6 billion annually.  The impact of a data breach over a two-year period is approximately $2 million per organization and the lifetime value of a lost patient is $107,580.  The average organization had 2.4 data breach incidents over the past two years.  Major factors causing data breaches are unintentional employee action, lost or stolen computing devices and third-party error.
• Healthcare organizations are not protecting patient data. Organizations have little or no confidence in their ability to appropriately secure patient records (58 percent).  Healthcare organizations have inadequate resources (71 percent) and insufficient policies and procedures in place (69 percent) to prevent and quickly detect patient data loss.

Original Source

A recent survey found that a startling four percent of the respondents surveyed are currently observing best practices for securing their passwords. Common problem areas include writing passwords down on post-it notes and using the same password for multiple systems.

According to a survey by researchers at the University of Wisconsin-Madison and IT University in Copenhagen found that just four percent of the people surveyed obeyed best practices for passwords. The survey focused on 836 staff members at company handling “very sensitive private information.”

…

“On an average, respondents have different 4.1 passwords to logon to different computers and/or access different computer applications at work,” the researchers state in their paper. “If we include passwords used at home that number increases to 9. Eighteen percent of the respondents always use the same password to access the different computer systems, application or websites, 50% sometimes use the same password and sometimes another password, and 31% always use different passwords.”

…

“There are also other solutions to overcome human limitations,” the report states. “For example several studies have shown that human beings are better at recognizing pictures than words or sentences and pictures are better stored in the long-term memory…Most efficient are two- or three step authentication methods, for example a combination of a token based ands knowledge-based authentication (for example a smart card in combination with a PIN number), a combination of biometrics and passwords, or a combination of token-based authentication and biometrics, depending
on the level of security needed.”

Original Source:  http://securitywatch.eweek.com/enterprise_security_strategy/password_strength_needs_a_boost.html

Cloud computing is a hot topic in the industry with significant growth expected in the near future.  The basis of the technology is a pay-as-you-go service model, which eliminates the need for purchasing and maintaining software, servers, and infrastructure in order to roll-out applications and storage.  Some of the primary benefits of this multi-tenancy approach include:

• Faster deployment of applications and storage
• Massive scalability on demand
• Reduced workload for internal IT staff
• Potentially significant cost savings

Concerns relating to security have caused some to consider a slightly different model of cloud computing known as a private or internal cloud.  Earlier this year, Gartner provided a definition for this approach to cloud computing.

Private cloud is “A form of cloud computing where service access is limited or the customer has some control/ownership of the service implementation.”

Source: Gartner, Thomas J. Bittman, May 2010

Each model has its own unique pros and cons.  In some cases a hybrid deployment involving both strategies may be applicable.  Here are some considerations that may suggest one strategy verses another.

Public Cloud

• Organizations that want to take advantage of a production cloud offering
• Organizations that can take advantage of standard environments that are accessed online
• Organizations looking to utilize infrastructure for a project or hosted solution that doesn’t require excessive customization
• Organizations with projects that require massive storage

Private Cloud

• Organizations that need to maintain total security and control
• Organizations that need to ramp up a particular project that has specific needs, such as load tests
• Organizations that want to run highly specific applications
• Organizations with a project that requires a client-specific environment (such as a mirrored data center or an in-house test lab)

Source: http://www.processor.com/editorial/article.asp?article=articles/P3219/21p19/21p19.asp

Data security was once considered as something of primary importance to large enterprises and government.  This mindset has changed dramatically in recent times due to an uncanny jump in cyber attacks targeted at mid-sized and even small companies.

A recent McAfee survey of 1100 IT administrators revealed a steep increase in security attacks.  More than half of the respondents indicated that they had seen a greater number of security incidents since last year.

There are a number of reasons for the jump in security incidents at mid-size companies, according to Nigel Stanley, head of the security practice at Bloor Research. He told Infosecurity that an important factor is that larger organizations are tightening their information security environments.

“The hackers are now targeting mid-sized organizations. Large enterprises generally have pretty good security. Hackers are not going to go after a big bank; they are going to go after mid-sized organizations because they are softer targets….This is a legitimate concern for anyone in a mid-sized organization to have to deal with this increasing threat”, Stanley said.

…

The survey found that 35% of mid-sized organizations had to manage multiple network security incidents, of which 55% took up to five hours at a cost of $1000 per hour to investigate and remediate. In fact, a number of mid-sized organizations reported that they had suffered a data loss that had cost them more than $25 000.

Full Article: http://www.infosecurity-us.com/view/13197/midsized-companies-see-jump-in-cyber-attacks/

One of the big challenges facing IT security managers is the dilemma of how to protect data with encryption without inhibiting authorized personnel or sacrificing central management capabilities.  This challenge originates from technical difficulties in effectively managing encryption keys across an organization.

This issue is discussed in an article from SearchStorage.com:

Key management becomes more important as encryption becomes more commonly implemented. It also becomes more of a stumbling block with encryption happening in multiple devices from different vendors, and no single standard for managing the keys.

“It’s the key management that still continues to be an issue,” Taneja Group’s Taneja said. “Key management will be a bigger issue when you have a gazillion drives and each has its own key management. How do you manage the keys?”

Jon Oltsik, a senior analyst at Milford, Mass.-based Enterprise Strategy Group (ESG), calls the key management market immature, with most key management systems bundled with encryption devices.

“That was OK a few years ago,” he said. “But, as you can imagine, the more encryption you do, the more key management systems you have, then all of a sudden you have the operational and security challenges of managing multiple systems. We’re still in the early evolution of heterogeneous key management systems. They don’t talk to each other, there are no standards and they won’t scale.”

Full Article: http://searchstorage.techtarget.com/generic/0,295582,sid5_gci1363126,00.html

Many enterprises and government departments are beginning to turn to GoldKey’s Hierarchal Security Protocol (HSP) as an answer to the challenges of managing encryption keys.  HSP utilizes symmetrical key algorithms, making it fast and robust, and supports an innovative key management system securely built into the hardware tokens.

The technology allows for an enterprise-wide hierarchy and achieves the unique feat of providing multi-user access to data stored encrypted at-rest.  A detailed overview of the technology is contained in a whitepaper titled, “How GoldKey is Transforming Secure Storage in the Cloud.”

While enabling new capabilities and significant operational cost savings, cloud computing introduces a series of new security risks.  In a report titled, “Assessing the Security Risks of Cloud Computing,” Gartner identifies specific risks and considerations to take into account before making the jump to cloud-based services.

Focus areas of the report include data integrity, recovery, and privacy, legal issues, regulatory compliance, and auditing. Here are seven of the key security issues identified in the report.

1. Privileged user access. Sensitive data processed outside the enterprise brings with it an inherent level of risk, because outsourced services bypass the “physical, logical and personnel controls” IT shops exert over in-house programs. Get as much information as you can about the people who manage your data. “Ask providers to supply specific information on the hiring and oversight of privileged administrators, and the controls over their access,” Gartner says.

2. Regulatory compliance. Customers are ultimately responsible for the security and integrity of their own data, even when it is held by a service provider. Traditional service providers are subjected to external audits and security certifications. Cloud computing providers who refuse to undergo this scrutiny are “signaling that customers can only use them for the most trivial functions,” according to Gartner.

3. Data location. When you use the cloud, you probably won’t know exactly where your data is hosted. In fact, you might not even know what country it will be stored in. Ask providers if they will commit to storing and processing data in specific jurisdictions, and whether they will make a contractual commitment to obey local privacy requirements on behalf of their customers, Gartner advises.

4. Data segregation. Data in the cloud is typically in a shared environment alongside data from other customers. Encrypted is effective but isn’t a cure-all. “Find out what is done to segregate data at rest,” Gartner advises. The cloud provider should provide evidence that encryption schemes were designed and tested by experienced specialists. “Encryption accidents can make data totally unusable, and even normal encryption can complicate availability,” Gartner says.

5. Recovery. Even if you don’t know where your data is, a cloud provider should tell you what will happen to your data and service in case of a disaster. “Any offering that does not replicate the data and application infrastructure across multiple sites is vulnerable to a total failure,” Gartner says. Ask your provider if it has “the ability to do a complete restoration, and how long it will take.”

6. Investigative support. Investigating inappropriate or illegal activity may be impossible in cloud computing, Gartner warns. “Cloud services are especially difficult to investigate, because logging and data for multiple customers may be co-located and may also be spread across an ever-changing set of hosts and data centers. If you cannot get a contractual commitment to support specific forms of investigation, along with evidence that the vendor has already successfully supported such activities, then your only safe assumption is that investigation and discovery requests will be impossible.”

7. Long-term viability. Ideally, your cloud computing provider will never go broke or get acquired and swallowed up by a larger company. But you must be sure your data will remain available even after such an event. “Ask potential providers how you would get your data back and if it would be in a format that you could import into a replacement application,” Gartner says.

Full Article: http://www.networkworld.com/news/2008/070208-cloud.html?page=2

Gartner revealed that Cloud-computing services consumed from external service providers (ESPs) are estimated to be 10.2 percent of the spending on external IT services, according to a recent worldwide survey.

From April through July 2010, Gartner surveyed 1,587 respondents in 40 countries to understand general IT spending trends and spending on key initiatives such as cloud computing. Participants were IT budget management professionals (CIOs, IT VPs, IT directors, IT managers, etc.). Four hundred eighty-four respondents participated in the drill-down on cloud computing and were asked how their organization’s current budget for cloud computing was distributed, as well as what their estimate was for spending next year.

“The cloud market is evolving rapidly, with 39 percent of survey respondents worldwide indicating they allocated IT budget to cloud computing as a key initiative for their organization,” said Bob Igou, research director at Gartner. “One-third of the spending on cloud computing is a continuation from the previous budget year, a further third is incremental spending that is new to the budget, and 14 percent is spending that was diverted from a different budget category in the previous year.”

Forty-six percent of respondents with budget allocated to cloud computing indicated they planned to increase the use of cloud services from external providers. Gartner analysts said there is a shift toward the “utility” approach for noncore services, and increased investment in core functionality, often closely aligned with competitive differentiation.

More respondents expected an increase in spending for private cloud implementations that are for internal or restricted use of the enterprise (43 percent) than those that are for external and/or public use (32 percent).

Full details of the survey’s findings are contained in a report titled, “Cloud-Computing Budgets Are Growing and Shifting; Traditional IT Services Providers Must Prepare or Perish.”

Full Article: http://www.gartner.com/it/page.jsp?id=1438813

Much uncertainty has arisen over the security of password-protected Windows user accounts.  A recent break-through by Swiss researchers has reduced the amount of time required for hacking an alpha-numeric Windows password to a matter of seconds.

Details are contained in an article by Robert Lemos of CNET News:

“Swiss researchers released a paper on Tuesday outlining a way to speed the cracking of alphanumeric Windows passwords, reducing the time to break such codes to an average of 13.6 seconds, from 1 minute 41 seconds.

The method involves using large lookup tables to match encoded passwords to the original text entered by a person, thus speeding the calculations required to break the codes. Called a time-memory trade-off, the situation means that an attacker with an abundance of computer memory can reduce the time it takes to break a secret code.”

Read more: http://news.cnet.com/2100-1009_3-5053063.html

This achievement highlights the importance of data encryption and multi-factor authentication for protecting sensitive data stored on Windows computers.

In comparison to the mere seconds needed for compromising a Windows password, it is estimated that present computing capabilities would require nearly 200 years to crack 256-bit symmetric AES encryption.

Additional security benefits may result from implementing multi-factor authentication — requiring users to present multiple forms of identity before gaining access to a resource.  Common types of authentication include:

• A secret that a user knows (e.g. password or PIN)
• A physical device (e.g. token, smart card)
• Biometrics (e.g. fingerprint or retina scan)

The level of security implemented should in most cases be determined by the sensitivity of the data at stake.  Common password-only security for Windows user accounts leaves a vast majority of users with little protection for information stored on their computer systems.  Unless this data is of a non-private nature, it is a good practice to explore additional measures to ensure that private data remains private.