Ad Here  
Sustainability and technology – the Grundfos thrust Money in a minute! Riding the Data Wave Clipping the butterfly’s wings PM favours GM technology Tablets for all... Moving towards BYOT… Untapped segments... Voyage to the red planet Maintaining Data Privacy The case of Insider Fraud Sholinganallur to Siruseri Steering technology through SMS Living with it... Take a bite of Google’s KitKat In a connected world... 2012 – year of the DDOS The real hero in India’s battle against black money Financial transactions of the future… “PhoneSat”, successfully launched Your privacy – Government’s business! A heavyweight in space tech Net access through balloons... ICT – crystal ball gazing … and they are back again… Wave 3 Cost effective services and better network control Who bit Whom? India Innovates Free the NET... Shop with a click In the age of technological disruption... Android app to help paralysed people Why this anti-science stance? When the setting itself becomes the protagonist More Smartphones to surface! Explosive expansion...
Maintaining Data Privacy
Recently, I met a Security officer in the BFSI sector in Mumbai and in the course of conversation that was not very complimentary of security consultants like us, he made an interesting observation.

Tongue firmly in cheek, he said that most security solutions today are like a person procuring a metal cupboard with good locks by investing a couple of thousands for storing a few hundred rupee notes.


Trust, but verify

Aghast, I asked him to help me understand his point of view better.  He went on to clarify that today, security professionals spend more resources to protect data than they would to protect money. A clear case of not understanding the value of data in today’s context. But he is not alone if we went by the findings of a recently published Ponemon Institute’s first annual Cost of Failed Trust Report which states that “…unlike before – when trust could be measured in terms of locks, safes and security cameras – executives, even those in IT security, little understand how truly fragile trust is today. A few kilobytes of cryptographic data is all that stands in the way of millions lost in sales, grounded airplanes and closed borders.”  These findings are based on 2342 validated responses, most of which are from Global 2000 enterprises situated in Germany, France, Australia, the UK and the US.


Kill to survive  

Protecting data from theft meets two requirements; firstly, it satisfies the statutory and compliance requirements and secondly, prevents loss or compromise of data that can damage the organisation’s reputation, seriously jeopardise its strategic competitive advantage and may even result in the organisation failing to continue business operations.  A Forrester report of July 2012 titled “Kill your Data to protect it from Cyber criminals,” put forth a proposition that there are only two kinds of data – data that someone wants to steal and everything else. Following this position, we need to understand why some security professionals are putting in place controls to protect data that is valuable to them rather than implementing controls over data that is valuable to cyber criminals.  The Forrester report summarises rather succinctly: “control placement is often flawed and security pros frequently leave toxic data, data associated with legal or compliance mandates, and certain types of intellectual property unprotected and vulnerable.”  Why does this happen? Is it that we don’t have appropriate technology or is it that we are unable to classify what is valuable to the predator and hence we are protecting wrong things?

Cryptography is one of the most preferred technologies that can support any effort to protect data and make it useless to those who attempt to steal it, both while it is stored and when it traverses through networks.  It is significantly more efficient and cost-effective than

other known technologies attempting to keep critical and sensitive data away from the cyber criminals.  However, two factors seem to work against moving cryptography from being used by a small, select group of technology specialists to becoming an ubiquitous solution for data security. First is the reluctance to deploy cryptographic solutions since there is a general feeling that it is too mathematical or complicated. Second is the large numbers of keys and certificates to be handled while implementing crypto systems in a typical organisation. The Ponemon report referenced earlier finds that the average number of server keys and certificates in a typical Global 2000 organisation is 17,807. In addition, it is alarming to know that 51 per cent of those surveyed did not know how many keys and certificates were in use in their own organisations.


A case of dual pressures

We have on our hands a situation where two pressures work on the enterprise managers responsible for privacy and security of data; particularly those governed by different statutory and ‘best-practice’ requirements.  Firstly, the growing pressure to keep Personally Identifiable Information (PII) and enterprise related intellectual property (IP) data secure. Secondly, we have a need to implement an easy-to-manage and cost effective technology to achieve this growing demand for privacy and security of data.  Irrespective of the comfort level we have today with its usage, cryptography is one technology that can be trusted to provide managers with the assurance of privacy and security they need.

The underground economy run by the largest pillagers of data held on various database across the world, is only interested in unencrypted data. Their opting out of encrypted data comes from the fact that most data monetised in the electronic underground has a short TTL – time to live. For instance, credit card credentials obtained by rummaging through a compromised database has value only till either the owner of the card or the issuing bank finds or suspects a compromise. This short TTL leaves those dealing in stolen data with a deep dislike for encrypted data. If the keys to the encrypted data is not compromised, decrypting it using brute force will be a long, tedious and expensive process.  Having said this, we must recognise that we are seeing steady growth in two other technologies that can render data strings unreadable – tokenisation that protects data by abstracting it and data masking that is mostly used for managing test data privacy and security.  


Boy, cryptography ain’t complex

Is cryptography a fail-proof solution to data confidentiality and privacy? Surely no, though cryptography is by far the best known solution. There are multiple vulnerabilities that impact the overall security efficacy of cryptographic implementations. First is the fact that quite a few IT users and system administrators are still to come out of the belief that cryptography is too complex and involves hard-to-understand protocols and key structures. Secondly, it must be understood that a crypto-system is only as strong as the confidentiality of its keys.

Knowing the way some users abuse passwords, it is difficult to assume that they would handle the confidentiality of crypto-keys any better. Admittedly, crypto-keys are embedded in soft or hard files but those very files can be shared just as passwords are!  Third is the reported phishing attacks and Man-in-the-Middle attacks that have been successfully launched, resulting in compromised Certificate Authorities (CAs) and certificates. It is estimated that this vulnerability alone has resulted in a total cost exposure of US$ 73 million over the past two years.  Fourth is the reluctance to come out of legacy crypto systems which cannot withstand the onslaught of today’s crypt analysts.  Fifthly, most asymmetric and few symmetric crypto algorithms are shrouded in secrecy leaving developers to treat the cryptographic implementations in their applications as a black box. This results in our inability to certify that the crypto strength has been independently tested and that it meets the standards required to maintain the privacy and security of data.

Hammered by the steadily growing demand for enhanced privacy and security of data, we continue to seek technologies that can ward off cyber criminals who are ever eager to break into database and harvest data that can be monetied in the underground economy.

Author :
Reported On :
Sector :
Shoulder :
IE, the business magazine from south was launched in 1968 and pioneered business journalism in south. Through the 45 years IE has been focusing on well-presented and well-researched articles. When giants in the industry stumbled to keep pace with the digital revolution, IE stayed affixed embracing technology.
Read more
Economist Communications Ltd is committed to ensuring that your privacy is protected.
Read more
You agree that your use of this Website and the purchase of the magazine will be governed by these terms and conditions.
Read more
S-15, Industrial Estate,
Chennai - 600 032.
PHONE: +91 44 22501236