Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • Networking

    Bits Never Feel Insecure

    By
    Peter Coffee
    -
    February 13, 2006
    Share
    Facebook
    Twitter
    Linkedin

      When doctors want to know where somethings going inside a patient, they tag it with some kind of tracer that lets them track that progress. We might learn a lot by doing something like this with sensitive data as well.

      Richard Moulds, a VP at security infrastructure vendor nCipher, got me thinking along these lines with his comments during our conversation this month about the need for better control of data movement and use.

      “Imagine flicking a big encryption switch overnight,” he suggested—offering examples such as having every sensitive PeopleSoft report in an organization or every credit card number that appears in any record suddenly become available only to those who had explicitly granted privileges to use it.

      “Almost every [enterprise] officer would be surprised at how many people depend on that data. Encrypt it overnight, and see how many people complain,” Moulds suggested (just as a thought experiment, Im sure).

      My conversation with Moulds reminded me of comments by Peter Boriskin of Tyco Fire & Security, who pointed out to me the opportunity of physical and digital security to strengthen each other—for physical systems knowledge of users locations, for example, to guide IT systems granting of access privileges.

      Moulds observed that the same user on different devices should be granted different privileges. For example, a user on an internal machine should have broader access than one on a home machine, let alone one whos checking mail from a trade show kiosk.

      He also suggested, as I have myself from time to time, that privileges to use the product of data should be distinct from access to the data itself. Its one thing to see the average salary in a department and quite another to see the salaries of each member of that department.

      If you go much further along this line of thinking, you might join me in concluding—or at least suspecting—that IT departments should not be the ones who administer IT privileges, any more than the people who drive the armored cars that deliver the payroll each week should be the ones who set wages or who hire and fire workers.

      Its the job of IT to build an infrastructure that can flexibly, reliably, transparently and manageably grant and withdraw privileges based on peoples identities, roles, current tasks, and current locations or environments. Its the job of a human resources organization to apply that infrastructure and to certify need, ensure security awareness and keep peoples information privileges aligned with their changing responsibilities.

      Credit card numbers, Moulds suggested, might be more than just a good example of the kind of information that may be flowing around in entirely too many different and inadequately governed forms. They may be the definitive test case: While Sarbanes-Oxley gets all the attention, he observed, the requirements of the PCI (Payment Card Industry) Data Security Standard may actually have a more pervasive grass-roots impact.

      /zimages/5/28571.gifRead more here about MasterCards plans for increasing consumer data protection.

      A concise list of 12 one-sentence mandates, the PCI document is starting to be widely circulated among all organizations “that store, process or transmit cardholder data,” to quote the standards stated scope. Its strictures apply to every “network component, server, or application included in, or connected to, the cardholder data environment.”

      Thats a short document that casts a giant shadow: Could you look Visa in the eye and say that you “Do not use vendor-supplied defaults for system passwords and other security parameters” (Requirement 2) and “Restrict access to data by business need-to-know” (Requirement 7), for example?

      Not being allowed to handle credit card numbers is like not being allowed to handle money: It can really cramp your style. Thats quite a motivation to talk with Tyco, talk with nCipher, and talk with your own IT and HR departments about how your next generation of security thinking should proceed.

      Peter Coffee can be reached at [email protected]

      /zimages/5/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Peter Coffee
      Peter Coffee is Director of Platform Research at salesforce.com, where he serves as a liaison with the developer community to define the opportunity and clarify developers' technical requirements on the company's evolving Apex Platform. Peter previously spent 18 years with eWEEK (formerly PC Week), the national news magazine of enterprise technology practice, where he reviewed software development tools and methods and wrote regular columns on emerging technologies and professional community issues.Before he began writing full-time in 1989, Peter spent eleven years in technical and management positions at Exxon and The Aerospace Corporation, including management of the latter company's first desktop computing planning team and applied research in applications of artificial intelligence techniques. He holds an engineering degree from MIT and an MBA from Pepperdine University, he has held teaching appointments in computer science, business analytics and information systems management at Pepperdine, UCLA, and Chapman College.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×