This blog is part of a series of blog posts describing how to properly assess your data security needs. This installment picks up from where we left off last time when we looked at Designing Protection and addresses approaches to take when designing your data security based on cost or your business’ needs.
Complex problems must often be approached from multiple angles simultaneously. Even if you pick one design approach over the other, it is likely another reader’s situation will cause them to pick the other approach. There isn’t a ‘correct’ one for everyone. Personally I do both.
Starting with cost
To balance cost with protection you might prioritize like this.
1. What are the easiest, least expensive, least intrusive protections to implement? I want to implement these even if they don’t show a direct impact on my most critical issues because every vulnerability is a chink that can be used as a lever against other protections I put into place. I don’t want to invalidate my more expensive protections by leaving something open that’s easy to close.
2. What more expensive, intrusive or harder to implement protections give me the most useful coverage? Tools and processes that impact my pocket or the productivity of my staff or users need to be weighed against the business impact being mitigated and any new holes created by the process or procedure. You should list the types of loss a given tool provides protection against, not only so you can weigh its cost against the benefits but so you can refer back to this list when considering another tool. People often forget, after implementing a tool or procedure, what considerations went into its selection. When they replace the tool or procedure gaps open up.
3. What gaps still remain? Can any be closed cost effectively? Are they worth the trouble to close? This is one of the most neglected parts of a business security process. You need to have a list of vulnerabilities that you are aware still remain. The items on this list represent your most important business decisions: choosing not to cover these holes! This gives you a starting point when you periodically re-assess the completeness of your security. As time goes by new threats emerge and new mitigation technologies become available. Prioritizing this list will help you evaluate new tools or implementation of enhancements to tools you already use.
Starting with needs
From the perspective of ‘how can I insure that my most critical vulnerabilities are being protected’ you will more likely start with considerations specific to the types of loss that would hurt the most.
1. If secrecy is the most important:
Multiple barriers to reaching the data are very important however one of the most common barriers people implement is encryption. Some think this limits a breach to the breakability of the encryption scheme or the effectiveness of key protections but this view ignores sniffing, memory scraping and other mechanisms for interception of the data while it is unencrypted. Data that is never decrypted is either useless or not really encrypted. Additionally if you don’t know who is ‘actually’ accessing your data and what data they are accessing you could be oblivious to the scope of a breach if you discover an authorized mechanism has been subverted.
Because encryption makes data searching difficult an alternate design pattern might be to store your confidential data in a schema for which no users have read access, not even the DBA. Only signed stored procedures are given access to read or update data in the schema. Control of the signing process can double as part of dual control for changes that might otherwise provide loopholes to accessing the data. The procedures could implement virtually any restrictions you want. A separate audit system would be needed to insure no one attempts to grant undesired additional access. Beyond that, transparent data encryption can simultaneously protect database’s disk file and any backups from clear text reads. Connection encryption can be enforced for the instance, the database or just the procedures that access the confidential data by denying access to sensitive data if they originate from an unencrypted endpoint.
2. If protection against unauthorized alterations is most important:
Barriers to reaching the data are, perhaps, more important here than in the secrecy scenario because, believe it or not, simply encrypting the data doesn’t necessarily protect it from alteration. Encrypted data, without other protections can sometimes be predictably modified without ever knowing the key. Also, mechanisms for detecting unauthorized change attempts are important here because failed attempts will eventually succeed if allowed to continue.
3. If protection from catastrophic loss is most important:
While malicious alteration can include deleting your data this point is different in that it applies even if you don’t care if anyone reads the data and nobody has any reason to try to alter or delete it. You ‘need’ it.
There are more pitfalls than just having some disaster take out your computer and the backups piled on the shelf next to it. The technology can be important too. I’ve got a shelf full of backups. Usually when I buy a new machine I ‘clean up’ by only transferring the stuff I really need onto the new Computer. If I find I need something more, later; I’ve got my backups right? But backups can go bad over time and sometimes the software you use to create the backups doesn’t run on your new machine or only doesn’t work after you install the first service pack or the hardware used to create it won’t connect to the new machine. This may not occur to you when you decide to get rid of the old machine that’s been in the corner collecting dust for two or three years.