Can data security be pinned down?

Every organisation knows that information is one of its most valuable assets; increasingly so does anyone looking to exploit that information for their own ends, be they criminals, ex-employees with a grudge or Wikileaks-style whistleblowers - not to mention careless staff who lose laptops or memory sticks

Every organisation knows that information is one of its most valuable assets; increasingly so does anyone looking to exploit that information for their own ends, be they criminals, ex-employees with a grudge or Wikileaks-style whistleblowers - not to mention careless staff who lose laptops or memory sticks.

IT infrastructures have historically been designed to protect structured information in databases, but as unstructured data increasingly becomes the dominant format, so the security challenge for IT leaders becomes ever greater. It is no longer enough to rely on locked-down networks behind a firewall; actively managing, monitoring and protecting data, devices, applications and users - wherever they are and however they are connected - are all key aspects of a successful strategy.

At a recent Computer Weekly roundtable, in association with Oracle, IT security leaders discussed how best to protect critical information in a world of Wikileaks.


Delegates at the event highlighted the security challenge caused by growing demands from employees to use their own consumer technology devices at work.

Marcus Alldrick, senior manager, information protection and continuity at Lloyd's of London, said, "We are facing Apple mania like any other organisation. We are looking heavily at smart mobile devices and have an iPad pilot."

Data leakage through such routes is a concern, said Tim Collinson, network manager at law firm Bird & Bird, echoing other delegates.

"Mobile devices and iPads are an issue and data leakage particularly. I want to know where client data is going and how to secure it," he said.

But the IT security chiefs agreed that consumer devices are destined to become part of the workplace.

"Saying 'not allowed' is a challenge," said Andrew Yeomans, head of security engineering, international, at CommerzBank and a board member of the Jericho Forum security group.

Sometimes circumstances mean mobile devices have to be embraced.

"Telling people they have to have a specific device on the network is not always possible," said Des Powley, director, information security for Oracle in Europe.

"For example, companies that make acquisitions have to deal with these things. [Oracle acquisition] Sun Microsystems was a mixed environment. We couldn't replace every machine and had to cope with that."

Educating employees

Many security breaches can be attributed to well-meaning employees acting carelessly, but security culture differs within organisations and regulations vary worldwide and must be taken into account.

"How do you provide security if there are differences of culture and regulations?" asked Yeomans.

He said many organisations face challenges around identity and authorisation, and that doing what they have always been doing "is not the right way forward".

Alldrick added, "You can wipe remotely without destroying the device. Get employees to sign up to protection and agree to wipe particular segments of a device if it is lost. This is where awareness comes in. If you take data, you take responsibility and there are consequences," he said.

Expecting different behaviours from employees in a work and home environment is challenging, said Martyn Croft, CIO at the Salvation Army UK.

"Why is it alright to download to USB drives at home and not at work? You can't expect different behaviours when someone walks through the office door," he said.

Data leakage is a danger if outsiders come in, but sometimes sharing information is necessary.

Matt Steel, information security manager at Morgan Stanley, said, "Interns come in during the summer and they have to take information with them for their thesis. Data leakage is something they need education on."

Educating employees is less about policing and stigma and more about how to act securely, according to Guy Miller, CISO at Mace Group.

"We have teams that have a champion and they do a soft audit and get people to comply on a day-to-day basis," he said.

Rogue individuals and external threats

US soldier Bradley Manning is suspected of leaking diplomatic cables to Wikileaks, which highlighted how rogue employees whose allegiances change can undermine security as much as any external threat.

Alldrick said the growing rise in so-called "hacktivism" and denial of services attacks has made its mark, and Powley highlighted the organisational and governmental impact of Wikileaks.

"The denial of service action on MasterCard took out the payments engine for a day and a half. With eight billion transactions per year, that is €20m in one day at €1 per transaction. There is talk of silent and noisy threats - this was a noisy threat," he said.

Yeomans said that a lesson learned is that role-based access models to information need to take into account volumes of data accessed.

"Bradley Manning, like any individual, may be able to look at information, but he shouldn't have access to thousands of documents. For example, a tax inspector might have role-based access to a person's tax information, but he should not have access to thousands of tax documents," he said.

Alldrick said three lessons have come out of Wikileaks - the ability of one person to access all information; not maintaining a high level of data loss prevention; and data and incident management.

"Once information is out, it cannot be retrieved, which has an impact for managing reputational risk. There are lessons for corporations in handling PR and the need to develop a social media strategy to manage reputational risk," he said.

Reputational risk

No organisation wants their reputation dented by a security breach or to lose business or incur a fine, but as Powley said, "No CEO understands the value of information until they've lost it."

When things do go wrong, organisations are not always forthcoming.

"Confidential reporting means that people can report things that go wrong for purposes of learning from mistakes and not getting blamed," said Nigel Dickens, CISO at Cardif Pinnacle.

But it is not just about incident reporting, it's about measurement and culture.

"Being seen not to lose face is very important in some cultures and it is about how to move forward without looking bad. Sometimes you have to play policeman, but ultimately you have to enable and protect," said Alldrick.

Although the fines are not always punitive enough in cases of security breaches, reputational risk can't be quantified.

Matt Holland, CISO at the NSPCC, said, "The penalties might not be enough, but it's a compound effect - financial and reputational."

Alldrick would welcome more "collaboration and co-operation" across the industry to combat data leakage and less "sanitised information" which no-one can learn from.

Lockdown versus openness

Many organisations are embracing social networking sites, while some remain wary and differences in security attitudes prevail.

"It is important to understand the threat, but also how can an organisation facilitate business in a secure way," said Morgan Stanley's Steel.

Sean Quinn, head of UK security at BNP Paribas, said reducing data loss is about "understanding what you are trying to protect and if what you are doing is appropriate".

But what is acceptable in some cultures is not in others.

"In India some employers take devices off their employees, but if this was tried in the UK, I'd like to see employees' reactions," said Steel.

Aiming for strict lockdown is not viable in today's society when allegiances can change. As Aldrick pointed out, "Even with stringent vetting, an employee can turn rogue. Humans are fallible."


Case study: Cardif Pinnacle 


Nigel Dickens, CISO at Cardif Pinnacle, part of financial services group BNP Paribas, has overseen a new approach to security necessitated by a change in the company strategy which saw it move from 500 clients to 5,000.

"Traditionally we were a manufacturer and wholesaler of insurance protection products and did very little business to consumer activity which meant we were internally focused on service delivery," he told delegates at the roundtable.

"Delivering the sales platform directly into client sites and making business-to-business connections via an extranet and over the internet to third-party financial advisers and direct to consumers over the internet, increased the threat exposure exponentially."

Dickens had an opportunity to build a new platform to deliver the sale of products to a range of new channels - and security was a priority.

"Taking card payments meant we had to be PCI DSS compliant, how we managed user identities not in our control needed to be considered, as did data protection issues, as well as regulatory compliance."

The explosive shift in client numbers - with around 25,000 in the pipeline - means the company has significantly changed the way it operates and the technology choices had to reflect the heightened security challenge.

"We chose Oracle as a database because it has a well-known set of security features. We also had to look at security in conjunction with availability because you can't have the site falling over halfway through an insurance quote, so we increased the resilience of the operation. We have a level of security and architecture which is designed for the next 10 years," said Dickens.

"We have a high level of control over protocols and behaviours. We have an Oracle database firewall and the internal database firewall is aware of what is going on outside; it can track activity going on through the stack and prevent it if necessary."

Intense work was done on defining role-based access to the platform and Active Directory was used to help look after internal users.

"Managing large numbers of external client identities was a major challenge and we spent time working out how much it would cost and how long it would take to manage IDs internally. When we compared numbers with the federated identity management route, it was persuasive so we used tokens to manage the cost of identities for us and clients," said Dickens.

"User identity lifecycle management is a key process. Only authorised people can use the application and we accept that authorisation. When a role is changed, authorisation is removed and if employees leave, access is killed."

Read more on IT risk management