Chains and their "weakest links" are used all the time in metaphor. But I realized this metaphor was wrong after seeing an odd "chain of locks" securing a no-vehicle gate last week near the GGNRA in Marin.
The only practical reason I could imagine for using this chain of locks is that a large number of people all need to be able to open the gate (e.g., park staff, firefighters, police). Instead of having one lock and sharing copies of the key, someone decided to give each party a lock and key. By chaining them together, any opened lock allows the gate to be opened.
I'm still not sure why they would choose this approach (if any reader is familiar with this construct, please tell me!)
With personal information, we may not share a "master key" with many people, but we offer a lot of locks and keys to a lot of different parties. Any one of them can leave us wide open. Like last week, when Administaff -- a huge co-employment organization that my employer uses -- announced ... (drumroll) ... a laptop was stolen with personal info, including SSNs, for everyone on every payroll they processed in 2006 (approximately 159,000 people total).
With friends like this ... you know the rest.
There's a wonderful FAQ on the theft, where Administaff explains that it's not the organization's fault: "the information was not saved in an encrypted location, which is a clear violation of our company’s policies." In other words, they're blaming the employee for violating the company policy.
I don't buy it.
Yes, I believe there's a company policy somewhere that says not to copy the entire human resources database onto your laptop in plain text.
But I don't believe Administaff made reasonable efforts to see that this policy would be carried out.
I suspect there were at least three distinct failures:
Failure #1: The employee whose laptop was stolen was tasked with an activity for which the easiest workflow involved loading the entire database onto his or her laptop. How do I know this? Most workers do not take the hardest route to doing their job. They take the easiest one they can.
In this case, someone took the easiest route even though it meant violating a policy (that he most likely never took note of anyway). When Administaff management allows the easiest workflow to be one with this much security exposure, they share the blame. If they don't know what workflows are being used for Social Security data, then they are failing at a bigger level, namely not auditing sensitive processes in their own identity-theft-prone line of business.
Failure #2: At best, the server system which "owns" the stolen data allowed this employee to produce a report containing critical data for a very large number of records. (At worst, this data is not stored in any controlled application at all, but rather in something like Access, FoxPro, or Excel. While I know this is a real possibility, it's such a revolting idea that I will ignore it for now.) Assuming this application has a user/role model, why would this user have such a reporting privilege?
Even if the application is designed to support some "work offline" workflow, so a that network connection is not required to access each record, this can be accomplished without any mass download of records. A modest number of records could be downloaded and cached for an offline work session, and synched back later. The record cache would, of course, be secured with a passphrase and/or other elements.
My point here is that there's no way the employee accessed and then copied/saved each of 160,000 records, one at a time. The application had to help, making it easy to do some operation on "all" or on a large set of records (birthdate in a specific year, last name starting with a certain letter, etc.) Awful idea. Administaff is leaving the door wide open, no surprise that the employee stumbles on through.
Failure #3: How long was this data on the laptop before the laptop was stolen? At one large financial institution, any computer connected to the network -- whether on site or via VPN, virtual machine or real -- was subject to regular scanning from the mother ship. The security group would check all of these machines not only for vulnerabilities (viruses, vulnerable services), but also for content. Were they after pr0n? Not so much. They wanted to find out if any disproportionate amount of their data ended up on any of your machines.
If, say, they found a file that looked like a bunch of credit-card numbers, you'd have some explaining to do. While this approach would not stop a clever data thief (who would employ steganography or removable drives), it would do a great job at stopping any accidental hoarding of customer data. In fact, it would do a great job at stopping this pervasive stolen-laptop-stolen-data problem.
Apparently Administaff really cares about this stuff. Surely enough to spend the half-hour thinking about it that I did when I wrote this post. Just not enough to actually do anything.
Subscribe to:
Post Comments (Atom)
4 comments:
I suspect that the multi-lock chain allows various services to each have their own single-key-multiple-lock setup for similar gates all over the place, without requiring all services to use the same key.
In other words, I think that each of those locks is keyed the same as a bunch of locks elsewhere, so that a particular set of individuals can carry one key and open any lock to anywhere they're authorized to go.
That's just a guess, though, and considering that I've never seen anything like that before either, it's probably wrong. :)
Bruce Schneier covered this back in 2004 for the Hollywood sign...
http://www.schneier.com/blog/archives/2004/12/physical_access.html
To be fair of course in the data theft case Windows makes it extremely tricky to do full-disk encryption natively except in Vista. You can buy a whole disk encryption package, and the US-GOV is going this for a bunch of things, but it takes time to roll it out.
Yes, this is a breakdown in controls and security, and really sucks. Its hard to know ow many business processes they may have been in the process of fixing over the last N-months to try and get this all working, and then had a laptop go missing. The point being that even if they were trying to fix things crap can still happen...
One way to fix this of course is data minimization, not ever having the data in question, not allowing it off servers in their datacenter, etc. All things they could and should have been doing...
You will require a finances trainer that could retain all your necessary items such suits for women as money along with bank cards. You need to have this to High Heels shoes aid wait your very own in the fantastic situation regarding favour.
Post a Comment