Monday, November 26, 2007

UK government loses 25 million identity records

You've probably already heard about this. It was front page news in the UK all of last week. They haven't stopped talking about it and commentators all over the place are taking pleasure in chastising the UK government for the problem. I've been in Seville (Spain) for work and haven't had time to chime in until now.

I'm referring to the fact that HM Revenue & Customs (HMRC) managed to lose 2 CDs filled with 25 million child benefit records in the process of sending them to the National Audit Office (NAO). In short, if you have children and have tax records in the UK, chances are your personal records and bank details were on those CDs.

Of course, being such a high profile incident, the Internet and news channels are already filled with articles and comments. Also, every software vendor and consulting firm is more than likely trying to call on HMRC with the line "have we got a solution and deal for you"! Despite this, the failure is not primarily because of a lack of technology. It is all about the lack of a security culture, lack of education and awareness and badly defined procedures.

In September, they also managed to lose 15,000 records when sending details to Standard Life and an estimated 400 customer records in a separate incident. Here's a time line that summarises the incidents over the past few months if you want a high level view. HMRC's chairman Paul Gray has resigned over this incident. Someone had to fall on his sword over this and I suppose he was the logical first casualty.

This article at Techworld says that the NAO had actually only asked for National Insurance numbers and explicitly asked for the other information to be stripped out. But some bean counter "business manager" at the HRMC instructed that this not be done because they would have to pay their IT provider EDS to do it. Sound familiar to you? Yet another case of the need to save of dollars winning out over good security and privacy practices. It happens all the time because of uneducated "business individuals" with no sense of the need to protect sensitive information. That's why there have been so many incidents over the past few years and this is just the latest and highest profile one this year.

I'm frankly not surprised that this happened. It's a harsh thing to say, but I know a little something about a very small part of HMRC's systems and how EDS manages it. I should point out that I've never had anything to do with the EDS HMRC account or HMRC itself, but I do know some people who work on the account and it's a shambles. Identity controls are practically non-existent. Access controls are practically non-existent. There are also allegedly people working on those systems without a proper security clearance! This is not to say they don't safeguard some of their data. I'm sure they do, but it says something about the general culture and management mentality in place. I know for a fact that internally, BIG security holes are observed and brought to management attention by a lot of the guys on the ground, but their protests fall on deaf ears. It's almost always because dollars speak louder than the need to have good security controls in place. This is just unacceptable and it's not even totally EDS's fault, although they play a part. It's the fact that HMRC seem to have a culture of penny-pinching when it comes to IT and they've now suffered as a result. If you're unwilling to spend money on adequate security, you deserve to be called out as being incompetent and they've shown themselves to be exactly that. Unfortunately, millions of people have had to suffer as a result.

The main thing that strikes me out of all this is that EVERYONE (including British Prime Minister Gordon Brown) is blaming a "junior official" for the gaffe. This deflects from the actual problem. Even if the official was "junior", it was not their fault that this happened. In fact, being "junior" gives them a valid excuse for being stupid. The problem is just bad process and even worse IT management. This incident is inexcusable, especially if you are the Government and are responsible for the security, privacy and protection of your citizens. You CANNOT be losing information because you want to save a few bucks.

The "junior official" shouldn't even have had to think about what they were doing. They should NOT have had access to this information in the first place. And if an official does come along who should have access and is properly given the access, they should NOT be able to copy all this information onto something like a CD and have it sit there unencrypted and unprotected! Security should be put in place to make access to data "idiot proof" because most users are "idiots" when it comes to data protection. Even those of us who should know better violate security policies all the time because it's just easier. We do it without even thinking about implications because we all have the “it won’t happen to be” mentality. It’s even more rare that an incident occurs where there are such massive implications and on such a high profile and scale. In other words, most of us suffer from “she’ll be right mate” (borrowing a term us Aussies like to use) syndrome.

The chances of something like this occurring would have been far less if HMRC had properly implemented the following (in order of importance):

  1. Decent security awareness training and education - User awareness will drastically reduce bad practices. People don't want to do the wrong thing. They just don't know when they are doing the wrong things.
  2. More security training and education - Keep it fresh and up-to-date. Things change VERY quickly in the IT security game. It also helps to remind people from time to time that security is important. It NEEDS to be part of corporate culture because otherwise, things just fall in a heap.
  3. Properly defined identity and resource/data access policies - Know what systems, applications, resources and data you need to protect and who should have access to them. Without this, all the technology in the world will not help.
  4. Properly implemented policies supported by relevant technology solutions - Policies alone will not protect you against the bad guys and the "idiot" (too stupid to understand the security policies) or "lazy" (can't be bothered reading the security policies) user. There are also many of us who fall into the "I know I shouldn't be doing this but I'm not doing this as a bad guy - I just want to make my job easier" category.

In other words security awareness, training and education are paramount. It should be noted that this needs to be pushed from top down. If the business stakeholders do not buy into security being important, no one else will. Bottom-up security awareness and culture change NEVER works. Having some semblance of a security function is the next most important thing. Without it, all the best technology in the world will not help. And finally, put in the proper IT solutions to enforce these policies because you need the "virtual traffic police" to ensure that laws are met.

As a simplistic level, technology alone could have prevented this from happening in the first place, but it does not solve the over-arching lack of security that is apparently there for all to see. In fact, many commentators and so called "security experts" are saying they should have put in encryption technologies and it would have solved all their problems! This is just not true. By this I mean that they could have implemented basic stop-gap encryption technology to enforce that everything that gets written to CDs and DVDs gets encrypted. If that was the case, the loss of the CDs would not have caused this much debate and analysis around what went wrong. It would have simply been "oh, we lost some CDs and these things happen sometimes when you post things, but the data was all encrypted". That would have called into question their processes rather than their lack of focus on security and inadequate IT controls. The implications to the public would have been far less severe. If that had been the case, all it would have done was to delay their major incident. If all you do is put stop-gap measures in place rather than a proper identity, access and information security layer and accompanying controls, it is only a matter of time before the "water leaks from another part of the dam" (apologies for the cliché, but I'm too tired to think of a witty and original analogy).

The only positive from all this is that HMRC have now got a compelling reason to act and spend money on a first step towards an adequate security infrastructure. Keep in mind that being the Government, "adequate" is NOT GOOD ENOUGH. But it's a start. Unfortunately, many Governments do not even have adequate security. I dare say many other Governments in the world have similar issues but just haven't had the high profile incident to catch them out yet. Losing 25 million records is going to be very difficult to top however, so I dare say the UK Government's incompetence will be in the spotlight for some time.

I'm not privy to the processes that have been put in place for the scenario that took place so I'm not about to comment on the specifics. They probably have some sort of security awareness and education. Maybe being a "junior official" pushed the person down the list of people who could attend classes and they hadn't been given the requisite training (in which case they shouldn't have been able to access sensitive information at all - sadly this pre-requisite is often overlooked by security policy makers and even more often left unimplemented in security systems). If they had been given the training, then perhaps it was the "idiot" factor. If we give HMRC the benefit of the doubt and assume their education program is great, their operational and security processes are sound and their security policies are well defined, then this should have been prevented by the security measures and IT systems they have in place.

The whole process should have gone something like this:

  1. NAO formally requests the 25 million records via the proper channels using the pre-defined and approved process.
  2. Process is executed and approved after which the work assigned to an authorised official.
  3. Official (who has undergone proper security education and training AND has this fact marked in their user profile to allow for rudimentary access to systems) picks up the task and is authenticated to the environment at a certain clearance level. If official has not undergone security awareness training, they cannot get access to anything sensitive.
  4. Official retrieves information and based on credentials and their entitlements is only given the parts of the data they have approval to view. If this does not include the required information (e.g. names and national insurance numbers), the official should be able to request that the relevant entitlements be given to them and have this request approved by the relevant managers or security personnel. Access should not include the ability to retrieve information that is not required (such as bank details). In other words, there should be fine grained access controls in place for access to sensitive data.
  5. Once allowed, official retrieves information and saves it to required media for transport to NAO. If the approved and documented process is to burn the information onto DVD or CD, then this is done. Upon the action of burning to CD or DVD, the information should be transparently encrypted without the official having to intervene or know that it is being encrypted. The decision on what to encrypt should be made by the system.
  6. DVD/CD is packaged up and securely transported to the NAO securely and properly tracked.
  7. The whole end to end process should be digitally audited and tracked in a central location for forensic purposes. Then there would be no need to pay PWC a truck load of money to “investigate” as they have had to do in this instance.

You may still be able to poke holes in the process I’ve outlined (the best processes do not cover off 100% of the potential risks, they just help mitigate the overall risks), but it would still be better than what HMRC currently have in place…and it took me 5 minutes to come up with it. If nothing else, it would have at least shown that they had been pro-active about protecting their data from a process and procedural standpoint. There is obviously more to information security than this and I’m not blind to the fact that implementing what I’ve outlined is no small task. If it was this simple, there would be no need for information security professionals. They need to start with the easiest bits and work their way up from there. Defining the procedures and policies is the first step. Putting in the encryption is an obvious easy win. The identity and access/entitlements part is a little trickier, but they need to think big to start to get somewhere. At this stage, I doubt they even know how to spell “entitlements”.

All I’ve done here is over off a small part of the big picture…but a part that would have potentially prevented the loss of the 25 million records. And even if they somehow managed to lose the CDs, they would only be useful as coasters or Frisbees to anyone who found them. The 25 million record data loss incident would have been averted and we would be talking about something more interesting this week rather than the UK Government’s incompetence.

Friday, November 16, 2007

Sun joins the role management game

The large vendors have largely ignored the role management aspects of Enterprise Identity Management. I outlined some of my thoughts on this in a previous post in response to Oracle's acquisition of Bridgestream. I also asked an open ended question around what the other large vendors would do in response to this. I just got part of the answer as Sun announced a few days ago their intent to acquire VAAU, another player in the role management game.

I won't repeat myself so read my Oracle and Bridgestream post if you want to know what I think about this whole role management thing. All that's left to add to that post is that Sun's just joined the game. Your move IBM/CA/BMC.

Whatever happens, all this is pointing towards the day when Enterprise Identity and Access Management = commodity. We're not quite there yet. But soon.

Thursday, November 15, 2007

Symantec announce Vontu acquisition

As usual, my travel schedule for work is really screwing with my blogging habits and keeping up to date with news. Of course, this means I'm blaming it on the market's need for Data Security solutions...which is not such a bad thing.

Symantec finally announced their acquisition of Vontu early last week. More about it on Symantec's website here.

I spoke about Vontu briefly in a previous post and mentioned the whole Symantec acquisition of Vontu here when it was still a rumour. As it turns out, it was true and a very badly kept secret.

I'll post more about my thoughts on what this means for Symantec later when I have a spare moment. Hopefully that's sooner rather than later.

Friday, November 02, 2007

Cisco wants an identity and entitlement aware network

I've mentioned Securent a couple of times before and have had various opinions about the company and Authorisation/Entitlement Management in general. I've even had a bit of a debate with its CEO Rajiv Gupta both online and offline (via email).

In one of the "what the F*$&" moves of recent times, Cisco just acquired Securent for $100 million. In a side note, Securent curiously also announced guidelines and tools for centralising the management of entitlements. I think this is somehow going to get lost amongst all the talk about the acquisition.

There's plenty of informed commentary about it by Dave Kearns, Jackson Shaw, Ian Glazer, the Burton Group, and Dark Reading so I won't comment too much other than to say I agree with a few things various people have said:
  1. Securent will form the basis of Cisco's centralised, network based entitlement/authorisation service. Why? Because Cisco said so.
  2. Cisco is trying to bridge the gap between Identity on the network and Identity in the application world. They are not the only company doing this, but they are the most influential because they are Cisco. It's still true that in many circles today, the network = Cisco.
  3. Cisco understand (or at least hopes that organisations understand) that Enterprise Identity and Access Management needs the network to play its part around user identity and context to have a truly coherent enterprise security infrastructure that works. I'm not saying it's easy. I'm just saying it needs to happen.
  4. Securent will get lost in the big juggernaut that is Cisco, be consumed and eventually forgotten by virtue of being absorbed into a company as big as Cisco. So much for that great marketing team I've complemented before.
  5. Why the heck did Cisco start its march into the identity space with Securent? It's a little puzzling, but I suppose the other "hot mature vendors" had already been gobbled up by the likes of IBM, Oracle, CA and others. Cisco is behind in this space. The fastest way forward when you are behind is to be disruptive. Maybe that's what they are going for. They need to be relevant in this area if they are to continue being dominant in the networking world.

IBM dips its toe into Data Security

IBM made a rather long winded and all encompassing announcement today around a bunch of Risk Management initiatives. In true IBM style, there's too much information for the average person to take in and understand at first glance. They are offering a heck of a lot and very few organisations will need everything they are announcing here. In fact, you probably don't even need half of what they are offering unless you have a HUGE security need and not much of an IT security department. Of course, they'll gladly send out a sales rep to sell it all to you. Don't buy it all. You don't need it all.

Now that I've done my IBM bashing for the day, I want to point out the data security piece:

"To deliver a total data protection solution throughout the information lifecycle, IBM ISS is partnering with leading data security vendors, including Application Security, Inc., Fidelis Security Systems, PGP Corporation, and Verdasys, Inc. By leveraging key technologies from these partners and IBM Tivoli, IBM ISS will offer a comprehensive set of asset-based data security services:
  • IBM Data Security Services for Activity Compliance Monitoring and Reporting -new services that help protect companies from insider abuse and enhance audit preparedness by assessing, monitoring, and alerting on malicious and non-compliant database activity and vulnerabilities.
  • IBM Data Security Services for Endpoint Data Protection - new services that help clients encrypt and manage data on endpoint devices, such as laptops and PCs.
  • IBM Data Security Services for Enterprise Content Protection - new Data Loss Prevention services that monitor and help protect against intentional and inadvertent leakage of critical data."

In other words, IBM can offer you a Managed Security Service around data security and leakage prevention (aka DLP). So even though IBM aren't doing anything in terms of acquiring software in the DLP space (yet), they are flexing the might of their services arm in an attempt to service the need. It is worth noting that they need to partner with other vendors because they don't have the software portfolio to do it. Which brings me to my next point.

It would do them a lot of good to have a software solution in this space. The most logical place to slot the acquisition would be in Tivoli, but they could also put it into their Information Management brand. It makes perfect sense to tie data/information monitoring and leakage prevention into Identity Management, Access Controls/Entitlements Management, Compliance Monitoring/Reporting and Security Event Management and Correlation. It's a big hole in their portfolio. Once they get that, they'll need to start looking at the network layer.

I know they got out of that business a long time ago and said they would never go back...but hey, they bought ISS didn't they (incidentally, they could also roll DLP software into ISS). Stranger things have happened.

TrendMicro gets into DLP

I'm a few days late on this as usual. My excuse is that I've been busy working with a huge global organisation on their data security, protection, leakage prevention and PCI requirements.

With the spate of acquisitions in the Data Leakage Prevention space lately, it comes as no surprise that another has just occurred. TrendMicro acquired Provilla earlier this week. This trend will probably continue as all the large vendors try to elbow each other for a position at the front of the pack in this space and attempt to round out their security portfolios. That being said, we're still waiting on the rumoured Symantec acquisition of Vontu.

So you can add TrendMicro to the list of large DLP vendors I mentioned here...with the exception of Symantec (at least for now).

The question remains...what are the REALLY big vendors doing? I'm glad you asked (continued in the next blog entry).