Data Protection Part 2: What About Unauthorized Data Access?
In part 1, we explored the physical loss of data, meaning the data is no longer available for access (intelligently) by anyone. There’s another, perhaps more significant threat to your data protection efforts: someone gaining access to sensitive information, often referred to as a data breach. An argument could be made that in some cases it is better to have lost data than to have data become available to unauthorized individuals. For example, when it comes to personal photos, would you prefer nobody sees them again or everyone sees them?
Data breaches didn’t start with the digital age. In my blog on Wireless Location Based Services (WLBS), I explained that I started my career working for the U.S. Navy. We had very specific rules for handling classified documents (and penalties for mishandling them). Not all documents were handled the same. We had file cabinets with different levels of security (weight, strength, lock) for different document classifications. The idea being the more valuable the information, the harder it would be gain access to the documents. At one facility the windows were replaced with glass block to prevent someone from outside the facility reading documents on our desks. Watergate is an example of a high-profile data breach long before the digital age.
Not all unauthorized data access is from outside an organization. At one point in my career, someone left a document on the printer that contained specific employee compensation information. Information didn’t leave the company, but still caused significant issues for HR.
Frederick Wilfrid Lancaster proposed that computers would create a paperless society. I’d argue that computers made it more efficient to generate paper, but with the advent of better user interfaces and a generation that didn’t grow up dependent on paper, maybe he’ll be correct. The information age, however, has changed the threat profile for data breaches. The challenge is the same: keep people from gaining access to the information. Security guards, identity badges, and locks provided the primary security mechanisms for physical document protection. There are many movies about spies duplicating badges, picking locks, and using cameras that looked like ball-point pens or lighters to photograph documents. But you never see a spy photographing the entire contents of a file cabinet (stealing the cabinet would require a forklift and draw too much attention).
Now the thieves don’t have to go to the facility. They gain access to your data via your network. You don’t know they got access to your data until after they’re gone. Now, the big difference is the thief can make a copy of the entire file cabinet or database. Stealing credit card information is not new. Some unscrupulous sales people have always copied down credit card numbers and gone on shopping sprees. The difference is scale. A salesperson or bartender might get a handful of numbers at a time, but hackers get millions.
In the paper world, incursions were addressed by defense in depth tactics. When I entered the Navy base, my ID was checked at the outer gate, granting me access to certain areas on the base. As I got closer to the pier, my ID would be checked again to ensure I was authorized to access the ship area. My ID would be checked when I got to my office building, again to verify that I should be there. At this point I still didn’t have access to any sensitive information. To gain access to documents, I had to know the combination to the safe. So up to this point, security was focused on identifying who had the privilege to present the combination to the safe. Similar tactics are deployed in the digital world today. User names, passwords, and access control lists (ACLs) are common methods for identification, authentication, and authorization. Avaya’s Identity Engines provide a powerful portfolio of tools for managing user and device access to your network.
Layers of access control are great as long as data is placed behind the proper level of security and there isn’t a way to sneak between layers. If someone had placed sensitive information just inside the outer gate of the base, then anyone who gained access to the base would have had access to the information. Europol terror data was compromised because someone made a copy on an unprotected device exposed to the Internet; this defeated all other security measures. As another example, think about the difference between web content posted for customers on the public website vs content posted on the internal sales portal. Some information is available to everyone and is posted on the sales portal for convenience (e.g., spec sheets). However, there is information that is made available to partners that shouldn’t be available to customers (or the competition) such as pricing, sales presentations, or competitive positioning.
Poke around many company public websites and you’ll find information you aren’t supposed to see. Often, the documents will even be labeled with “internal use only.” IT can deploy Identity Engines or similar solutions to the best of their ability, but if the rest of the organization fails to pay attention to information security, data will be leaked.
Nobody is perfect, neither is any system. Occasionally cracks are exposed in data security. Hackers are very persistent and will keep poking around until they find a weak spot. Because of the architecture and complexity of modern networks, once a hacker gains a modicum of access, they often can get full access to the network. The intruder can use tools to easily discover the network topology and then determine where to gain access to valuable information.
The Navy doesn’t allow everyone to roam around the base just because they gain access through the perimeter gate. You don’t want people to roam around your network just because they found a weak entry point. Suppose a spy with forged credentials shows up at the gate in a food service truck. Food security isn’t a high concern, so security checks on the credentials are minimal. If the base is wide open, the spy could drive the truck anywhere. However, interior checks prevent the food service truck from access to sensitive areas such as the munitions warehouse.
Network segmentation with Avaya SDN Fx Architecture provides similar protections. Shortest Path Bridging (SPB) is based on a Virtual Service Network (VSN). A VSN is similar to a VLAN, except the VSN is totally isolated from all other segments unless specifically authorized to have access to another segment (L3 route). If the Navy could implement a VSN concept for vehicular traffic, the food truck spy would be assigned to a virtual road that only went to buildings that served food. The spy wouldn’t be aware of any other road, wouldn’t see any other buildings, and wouldn’t have any idea how to get to the munitions building. In fact, there wouldn’t even be any indication that a munitions building even existed.
Further, suppose there’s a celebration being held at the ball field on base. The celebration has a temporary kitchen set up that requires a food delivery. A virtual road could be set up to allow food service trucks to get to the ball field. As soon as the event concludes, the virtual road is retracted, eliminating food service truck access to the ball field.
To explain more about this approach, Jean Turgeon, Vice President and Chief Technologist for SDN at Avaya, has a three-part blog series on the security benefits of end-to-end network segmentation.
- Hyper-Segmentation: The ability to create stealth segments that span the entire network.
- Native Stealth: The characteristics of a hyper-segment that’s invisible to hackers.
- Automatic Elasticity: Extending and retracting hyper-segment access automatically.
Jean Turgeon mentions the 2013 data breach at Target. The hackers gained access to an HVAC network and wandered around until they gained access to PCI information. If Target had implemented hyper-segmentation, the worst the hackers could have done was change the ambient environment, hardly an event that would have made headlines around the world or blog topics three years later.
In part 3 of this series, we’ll explore the role of data encryption in preventing data loss.