Where should the blame lie with data security?

Wednesday, July 01, 2009

If a shortcut is available, then staff will inevitably take it. Nick Lowe, Check Point's regional director for northern Europe, explains how large organisations can ensure that staff find the quickest route without endangering data in the process

Primum non nocere – first, do no harm – is the fundamental principle in healthcare. The same principle should also apply in devising and deploying an IT security solution. While no organisation wants to risk damaging data losses, the security solution should also not interfere with users going about their everyday computing tasks. The security should be delivered as invisibly as possible, without the user being able to affect it.

The reasoning behind this is simple: by making security transparent, it's much more likely that systems and data will stay protected. But how easy is it to balance security with transparency in large organisations like NHS Trusts?

The situation is made more difficult by the calls for urgent action from on high. NHS chief executive David Nicholson has twice instructed all NHS chiefs to ensure their organisations are encrypting mobile data, and Information Commissioner Richard Thomas has backed proposals to hold senior NHS figures personally responsible if their trusts lost personal information.

With such a focus on security, it's tempting to seek scapegoats. For example, data losses and leaks are usually blamed on individuals downloading sensitive data that they shouldn't have, or failing to protect data on a laptop or USB memory stick.

But this thinking diverts attention away from the real problem. While an individual's actions may breach security policies, it's unlikely that there's malicious intent involved. Users were just trying to do their job a little quicker, or work a little smarter. Can they really be blamed for that? As a CSO recently said to me: "Part of my job is saving my constituents from themselves."

Perhaps a better question would be, why was it left up to the individual to decide what data should be protected, and how, when it isn't really their job? Shouldn't the IT department share some responsibility for making security difficult to apply, or for failing to ensure that policies are adhered to?

So it's no good playing the blame game. An effective security solution should enforce security policies with products, to remove from users the responsibility of deciding what data needs protecting.

If the data needs securing as part of a process – such as copying data to a laptop or portable storage device – it should be done automatically according to the organisation's policies, and without individuals having to worry about it.

Sounds straightforward, but how does an organisation go about rolling this kind of data security solution out to all of its employees, PCs and portable computers? Broadly, there are three things the organisation needs to do:
• encrypt all data stored on laptops, PDAs, and USB devices automatically
• audit and control data transfer to removable media, such as USB sticks or CDs
• control the security policy running on all computers in the organisation

But as with a blood or organ transfusion, before this process can take place, some in-depth research and preparation is needed. The organisation's entire computer fleet needs to be "typed" – that is, audited to find out what security is already deployed, and what needs updating.

Then each computing device needs to be equipped with a centrally-managed endpoint security suite. This should include a firewall for the device, antivirus protection, full-disk encryption (so that users don't have to choose what to protect), port protection (to control what devices can be used to carry data), and virtual private networking for secure remote access.

This type of granular control and application of policies ensures that data flows in a traceable and secure manner, while enabling users to work efficiently – giving protection with transparency. It ensures that the security solution truly does no harm.