How to Protect Your Data
By Simon Williams
Protecting the information on which your business depends isn't just a matter of backing it up.
HardCopy Issue: 42 | Found In: Business, Security | Published: 01/11/2008 | Last Revision: 06/07/2010
Generating data is the easy bit – just about every application on your PC does it. From word processor documents and emails to spreadsheets and the contents of both on- and off-line databases, hard drives are forever filling with the information that business thrives on.
The trick is keeping it safe, both physically and legally, so that you can get at it whenever you need to, and be sure that it hasn’t been tampered with. That ‘whenever’ has to include when your hacked e-commerce site needs rebuilding over a weekend; when there’s a spot check by the Information Commission; or just after a fire has gutted your data centre. Could your current systems cope with such scenarios?
The Data Protection Act 1998
Most of us know about this Act but many have only a hazy knowledge of the protections it provides to individuals. If you hold more than just name and address details of people in a database, then you should know at least the basics of the DPA.
The Act says that you can’t hold data about people without being registered with the Information Commission. Well, actually, there’s a caveat even there, albeit a small one: if you’re running a small club and its members have given permission for simple data, such as names and addresses, to be held, you may not need to register.
The act contains eight principles which you have to follow if you’re storing personal data. All the data that you retain must be:
• Processed fairly and lawfully,
• Obtained and used only for specified and lawful purposes,
• Adequate, relevant and not excessive,
• Accurate and (where necessary) kept up to date,
• Kept for no longer than necessary,
• Processed in accordance with individuals rights,
• Kept secure,
• Transferred only to countries that offer adequate data protection.
Each of these principles has its own ramifications. For example, ‘kept for no longer than necessary’ implies that when a person opts out of a mailing list, their details should be removed from the database and not simply flagged as ‘opted out’ in case they change their mind. ‘Adequate, relevant and not excessive’ implies you could have problems if your security staff aim CCTV cameras at a couple in the park over the way and keep the video. ‘Kept secure’ means you could be liable if a member of staff posts a CD containing 25 million personal records to another organisation. ‘Transferred only to countries that offer adequate data protection’ could have implications if you’re thinking of out-sourcing.
A good place to start when assessing what the DPA means to your business is the DPA Toolkit, a free download from
The first defence in securing data is encryption, which means encoding the data so that it can’t be read without knowing the encryption key or having a heavy-duty supercomputer work for months to crack it. Encryption can be applied to any data, not just back-ups, and if it’s sensitive information then you can encrypt all instances of it. Hard disks can be encrypted but so can CDs, DVDs as well as portable flash drives or ‘memory sticks’.
The flash drive has become the floppy disk of the new decade but with a capacity so much greater that it can easily hold substantial datasets in its conveniently pocketable form. Unfortunately, this form factor also makes it very easy to lose or have stolen.
Under Windows Vista Ultimate, Vista Enterprise and Server 2008, the simplest way to encrypt data is to turn on BitLocker. This is a built-in 128-bit encryption routine which works on a drive-wide basis. Do bear in mind though that two of its three working modes require the installation of a Trusted Platform Module (TPM) chip in your PC.
If you’re not running these versions, don’t have a TPM in your computer or want more flexibility then try PGP Whole Disk Encryption or the BeCrypt range.
Mcafee's ePolicy Orchestrator, part of its Host Intrusion Prevention application, uses several dashboard-style screens to show status and settings.
The tabloids never lose interest in identity theft and there’s little doubt it’s a problem for anybody who has their details stolen. As well as being able to plunder the victim’s credit accounts, on the wider stage an identity thief may be able to use the false credentials gathered from the theft to gain access to business systems.
There’s no single strategy for preventing identity theft. Instead, you need to think of the whole gamut of personal data. There are obvious steps you can take as an individual, such as being careful with usernames and passwords, and checking that nobody’s looking over your shoulder when you’re entering a PIN or access code.
These are the kinds of precautions of which companies should remind their staff, particularly if those staff have controlled access to premises or to a VPN link. A very lucrative goal of the identity thief is the gaining of access to restricted computer systems.
On the software side, the kind of safeguards you should be considering are those you’d probably apply anyway. Most IT security staff already employ strong anti-virus and anti-spyware systems and properly-configured firewalls. These help prevent hacking exploits and guard against key loggers and other such malware getting installed on your machines.
Putting in place an access hierarchy to your data, on the familiar ‘need to know’ principle, can also limit the damage an identity thief can cause. Rather than allowing all employees to get at all levels of data, limiting access to what’s needed to get a job done reduces your exposure. You might consider keeping more sensitive data in a separate database, for example. Ensuring that users can only access data through queries, rather than having direct access to data tables, is also a good policy.
One of the key ways of obtaining a victim’s identity is the phishing exploit, where you’re encouraged to visit a bogus site and enter personal details. These attempts are getting more sophisticated, with some fraudulent emails looking very like something you might get from your bank or card issuer. Gone are the days when you could rely on the poor spelling and grammar of the phisher to identify which are the duds.
As well as standard Internet security suites, specialist packages like CA’s Host-Based Intrusion Prevention System r8 and McAfee’s Host Intrusion Prevention for Servers take a holistic view of the blended threats that these increasingly sophisticated network intruders are now using. Oracle Database Vault, which is part of the Oracle Database suite, is a useful tool for setting up a fine-grained access regime.
One of the most comprehensive methods of preventing identity theft is biometric scanning. While it’s possible to obtain and use somebody else’s password, it’s much harder to simulate a fingerprint or retina pattern. A biometric measurement can be used to control access to buildings, floors or rooms, and also to prevent use of a computer. Tied in with administration privileges, it can control the running of specific programs or the viewing of selected documents.
The simplest and still one of the most effective biometric identifications is the fingerprint as it is unique and hard to forge.
There’s been much talk of biometrics in coverage of the government’s proposed identity card scheme. Those who have passed through Heathrow recently will also be aware of the newly-introduced retinal scans used to identify travellers, but there are many different ways of uniquely identifying people.
Common biometrics already in use or being developed include fingerprints; hand geometry; the veins in the palm of the hand, the iris or retina of the eye; facial characteristics and voice. Some of these have proved more accurate and suffer less from changes as an individual ages. Facial characteristics, for example, can be fooled more easily than an iris measurement or a hand scan.
Scanning the veins in the hand is a particularly promising biometric. It reads the pattern of the veins as seen under the skin with infra red light, so it’s not easy to forge and there need be no physical contact between the scanner and the hand. Simply waving the hand over the scanner should be enough to verify the identity of its owner.
If you want fingerprint identification then digitalPersona can tie together all the fingerprint readers on the laptops or keyboards in your organisation and centralise control. It can tie fingerprint biometrics to individual actions, as well as to specific machines.
Maintaining an audit
Auditing your data, which means keeping a record of who did what when, is essential for any business. The reasons, including increasing demands from legislation, should be obvious. If you suffer a hacking or malware attack, you need to be able to backtrack through the changes made to your data, so you can reconstitute it to the way it was before the attack.
Maintaining a good audit path may help track down the culprit, too, by revealing where and when the log-in was made and whose identity was used. Even if the legitimate owner of the identity isn’t the attacker, this information can provide good leads and narrow down the field of suspects.
Keeping an audit isn’t the same as taking a backup as a backup is ‘reason ignorant’. A backup stores the data as it was at a specified time, but it has no concept of why changes have been made – it doesn’t differentiate between changes made through legitimate customer order, for example, and through a fraudulent attack on the data.
There are a number of principles that need to be applied when instituting a data audit regime:
• Keep the personnel separate – the people who run the data audit should not be those who manage the database.
• Keep the software separate – the software handling the audit must be read only and separate from the data management software, so that glitches in one won’t affect the other.
• Ensure that your audit system can grow – as a business develops, the dataset grows, so make sure the audit system has the space to grow as well.
• Make it flexible – audit requirements may well change over time, so the audit system needs to change too.
• Secure the auditing platform itself – an audit is only useful if you can rely on what it says, so make sure it can’t be hacked.
• Identify normal usage – you can’t tell what’s abnormal usage of your data until you know what’s normal.
• Back up and archive – which means backing up the audit as well as backing up the data it’s working on.
Among the many tools available on the market for auditing data trails are OmniAudit from Krell which audits SQL data structures and DB Audit from Soft Tree Technologies. Oracle Audit Vault and Total Recall provide good audit paths while Microsoft’s SQL Server has provided data auditing up to C2 level security since version 2000.
The most obvious way of protecting data is to make a copy of it. As Kay Ewbank described in ‘Understanding backup’ (Hard Copy issue 41), this can be done in a number of ways, on a variety of media and with different levels of security. Security doesn’t just mean encryption as no amount of encoding is going to protect data if the tape or disk is destroyed in a fire.
Physical as well as digital security is part of the process of keeping data secure. The use of generational backup regimes, with child, parent, grandparent copies of data taken at different times, help ensure against data corruption feeding from live data to backup, but you should also consider keeping the copies in different locations.
In the simplest scenario, suitable for smaller organisations, you could simply take a backup tape or disk to a different location, even taking it home with you each night, as long as the data is encrypted. A safer way is to use offline storage, where the archive is copied to a specialist Internet resource physically remote from your premises. You’ve obviously got to trust the storage company with your data and pay them for the storage space, but it removes the possibility of leaving it on the train.
If a backup is going to be compressed to save space in archival storage, don’t encrypt the data until after it has been compressed. Most compression algorithms rely on the repeat patterns of characters in a dataset to achieve the reduction in file length and encryption will remove all these patterns from your data, so encrypted files will compress far less than unencrypted ones.
There are numerous backup applications available including Veritas NetBackup from Symantec, Computer Associates’ ARCserve Backup and True Image Echo from Acronis. Oracle and Microsoft again have their own solutions. Oracle’s is called, somewhat obviously, Oracle Secure Backup while for Microsoft SQL Server 2008 users, a dedicated backup module is included in the package.
When archiving large data structures, it's important they're not easily read, so encryption should be a standard practice. Secure backup is part of Oracle's solution.
Heuristic behaviour tracking
This rather techie title simply means monitoring the way data in a database is normally used so that you can spot any unusual usage which might indicate problems. Once the monitoring software has built up a model of how the data is normally used it can then analyse unusual activity and determine whether it’s just out-of-the-ordinary or potentially dangerous.
This kind of tracking is used in a number of different software genres. It’s probably best known in anti-virus applications where it’s used to spot unusual behaviour caused by a new virus which hasn’t yet been added to the database of known viruses. Although it doesn’t take long to indentify and characterise, in the order of a few hours, a virus can spread quite rapidly and do a lot of damage in that time.
Heuristics in AV programs are designed to spot the unusual behaviour caused by a virus, typically copying itself to different places on a PC or sending harvested data off the system. It can then take measures to prevent these things happening and alert IT staff to the danger.
To be useful, heuristic tracking has to be smart enough not to be fooled by unusual, but still legitimate behaviour in a dataset, or it will generate false positives and have staff looking for problems that aren’t there. The best heuristic algorithms, as used in the AV programs of the main suppliers, are pretty reliable and help catch new virus releases without flagging up legal database access.