When doctors want to know where somethings going inside a patient, they tag it with some kind of tracer that lets them track that progress. We might learn a lot by doing something like this with sensitive data as well.
Richard Moulds, a VP at security infrastructure vendor nCipher, got me thinking along these lines with his comments during our conversation this month about the need for better control of data movement and use.
"Imagine flicking a big encryption switch overnight," he suggested—offering examples such as having every sensitive PeopleSoft report in an organization or every credit card number that appears in any record suddenly become available only to those who had explicitly granted privileges to use it.
"Almost every [enterprise] officer would be surprised at how many people depend on that data. Encrypt it overnight, and see how many people complain," Moulds suggested (just as a thought experiment, Im sure).
My conversation with Moulds reminded me of comments by Peter Boriskin of Tyco Fire & Security, who pointed out to me the opportunity of physical and digital security to strengthen each other—for physical systems knowledge of users locations, for example, to guide IT systems granting of access privileges.
Moulds observed that the same user on different devices should be granted different privileges. For example, a user on an internal machine should have broader access than one on a home machine, let alone one whos checking mail from a trade show kiosk.
He also suggested, as I have myself from time to time, that privileges to use the product of data should be distinct from access to the data itself. Its one thing to see the average salary in a department and quite another to see the salaries of each member of that department.
If you go much further along this line of thinking, you might join me in concluding—or at least suspecting—that IT departments should not be the ones who administer IT privileges, any more than the people who drive the armored cars that deliver the payroll each week should be the ones who set wages or who hire and fire workers.
Its the job of IT to build an infrastructure that can flexibly, reliably, transparently and manageably grant and withdraw privileges based on peoples identities, roles, current tasks, and current locations or environments. Its the job of a human resources organization to apply that infrastructure and to certify need, ensure security awareness and keep peoples information privileges aligned with their changing responsibilities.
Credit card numbers, Moulds suggested, might be more than just a good example of the kind of information that may be flowing around in entirely too many different and inadequately governed forms. They may be the definitive test case: While Sarbanes-Oxley gets all the attention, he observed, the requirements of the PCI (Payment Card Industry) Data Security Standard may actually have a more pervasive grass-roots impact.
A concise list of 12 one-sentence mandates, the PCI document is starting to be widely circulated among all organizations "that store, process or transmit cardholder data," to quote the standards stated scope. Its strictures apply to every "network component, server, or application included in, or connected to, the cardholder data environment."
Thats a short document that casts a giant shadow: Could you look Visa in the eye and say that you "Do not use vendor-supplied defaults for system passwords and other security parameters" (Requirement 2) and "Restrict access to data by business need-to-know" (Requirement 7), for example?
Not being allowed to handle credit card numbers is like not being allowed to handle money: It can really cramp your style. Thats quite a motivation to talk with Tyco, talk with nCipher, and talk with your own IT and HR departments about how your next generation of security thinking should proceed.
Peter Coffee can be reached at firstname.lastname@example.org.