To serve and protect

25 Dec 2008

It’s time for a fundamental re-think about how data is being handled.

It’s a fair bet that IT security is not a ‘problem’ that will ever get solved. It is really a ‘situation’ that will exist for as long as there are people willing, eager and resourceful enough to hack into systems, invent viruses, intercept messages and generate bogus transactions that pillage other peoples’ accounts. Growth in the popularity and range of online facilities for commerce and trade has  brought us some major IT scams and it also throws this new field of security into very sharp focus.

To my mind, the greatest threat to online transactions is in the area of data security. Scarcely a week goes by without hearing about some sort of security breach somewhere. If it’s not stolen credit card details, it’s the incidence of ‘lost’ data through PC theft from those who should really know better. Giving some small comfort to the victims – the owners of the data – is one thing. Dismissing such thefts as opportunistic just diverts attention from the fact that people should have a legitimate expectation that their personal information is being very carefully stored and only released from storage in exceptional circumstances.

The online world has fundamentally changed the nature of data. Not necessarily the data content itself, but in terms of its storage, transport and transmission. Because of the volume and variety of storage facilities now available, organisations are holding onto more data in places other than secure stores – on flash sticks, external drives and on laptops. They do this primarily because they can. A lot of the time, those who need only tiny elements of data or aggregations of it are copying whole data sets because it’s easier than selecting what they actually require. Many possessors of laptops don’t have the ICT skills or experience to understand how vulnerable the data on them is.

With mobile computing becoming more common, and with ever-increasing disk sizes, more and more data is moving around – out of secure sites and into all sorts of unsafe environments. Trading on the internet means sensitive financial data is being transmitted and becoming vulnerable to improper use by the many who are prepared to abuse it. Part of the problem is that we have evolved from older systems – both paper and electronic – where things didn’t get stored or moved in the same way. Cabinets full of paper files are difficult to move and search. Large computer files on tapes and disks used to be kept secure in libraries.

What a lot of organisations fail to realise is that data protection, privacy and IT security are not just compliance issues because of rules or regulations. It is not just about minimal changes to processes or procedures, or building a barrier to keep people from getting their hands on vulnerable data. I have no idea how much of a problem there is, but from the reports of lost data that have emerged over the past year – both here in Ireland and abroad – whether it’s big or not, it will undoubtedly diminish confidence in online transacting. That is a real shame because technology has opened up all sorts of possibilities for innovation in commerce and government by improving the level of access and the speed of service. And in many respects, we have only started to reap the benefits of technology. Any future progress must be based on the existence of trust.

So, there really needs to be a fundamental re-think about how data is being handled – both in terms of the data culture and standards in organisations and also in how individuals who are dealing with data behave. I used to sell computers that, according to the manufacturer, had been designed and built around an operating system rather than the other way round. To me, some similar thinking needs to take place about IT security.

Most IT security incidents arise from unauthorised access or the threat of illegal access to data. It stands to reason therefore that the primary focus should be on protecting data. People who own data should be aware of where it is going and should be able to have trust in those to whom they are releasing it. People who use data should only get access to the data elements they need. Governments and public authorities exist to process vast quantities of data. There are countless repositories of data across the system. Data sets are held in duplicate and triplicate as they move around the system. While there are data protection regulations in place, they are not there just to make life even more difficult for officials.

My personal view is that we should be operating in a culture and environment that is based on the concept of respect for personal information. If that really existed, you wouldn’t see people downloading files onto laptops or other storage devices. Procedures would be in place to ensure that only what is required is accessible, and that where data has to be transported or transmitted, it is sufficiently protected using anonymisation, encryption and anything else that the security community can come up with. If people need to work away from the data source, they should be using protected workstations that do not have much storage facilities and use encryption techniques. It would be a tremendous help if there were a set of standard principles about data and information – about who can access and use it and in what circumstances. This would be a useful starting point.

By Colm Butler