In 1975, 'Star Wars' had yet to be released, Disco was new, and Rein Turn and Willis Ware wrote a prophetic paper on data security and the protection of information. They were interested in the problem of protecting information from insiders and maintaining the privacy of stored information kept by governments or organizations. This was the first major paper to begin to address insider threats, and foreshadowed the problems we’ve had over the past couple of years with large government agencies and companies who handle our sensitive information.
Turn and Ware had six principles they outlined in their paper. The first, Reduce Exposure, addressed information protection by simply collecting less sensitive information. Companies used to do this, in the past. They’d resist collecting your entire Social Security Number, for example, and only maintain your last four digits. Or they’d keep your address on file, but not your credit card number. Today, companies resist this kind of thing, preferring to collect as much information on their customers as they can. They use this information for marketing, profiling shopping habits, or providing a smoother sales experience. Granted, the pressures to maintain this information are significant, but by minimizing the amount of sensitive information stored, companies minimize the exposure of this sensitive information and decrease their attack surface. Organizations may justify keeping extra information around because they’re already keeping some sensitive information; keep in mind though this just increases the attack surface by keeping more sensitive data available for exploitation.
Decrease Sensitivity. Turn and Ware also suggested decreasing the sensitivity of stored information by removing key pieces of data. This is more along the lines of storing the last four digits of a Social Security Number than not storing the number at all. In cases where you must store some sensitive information, diligent redaction of key information may make that stored data less sensitive while still maintaining the value of the stored information.
Anonymization. The first to suggest large scale anonymization, Turn and Ware were proponents of removing any and all personally identifying information from stored data, or at least minimizing the exposure of that information via separating data stores. This is still a common strategy today, in fact. When information must be associated with someone to have any real value, you can associate the data with a unique key, and then store the identifying information in a separate data store. Of course, we’ve learned over the past few years that true anonymization is actually very difficult, and that individuals can be identified on the basis of the stored data itself without any other specific identifying information. Nevertheless, anonymization is a powerful tool when used with appropriately sanitized information.
Encryption. We still stress this today. You have sensitive information? encrypt it! But it’s not really that simple, is it? we still end up needing to manage keys, and we need to make sure we apply the algorithms correctly, even if we don’t need to code them up ourselves anymore. Implemented properly, this is still an excellent technique. With the appropriate algorithm strength, and key management in place, encrypting data radically decreases the attack surface from some arbitrarily large set of sensitive information to a single 2KB key. Not a bad tradeoff.
Accountability. Make sure you’re able to track who accesses what data! you need a robust auditing policy in place, and then you need to review the generated audit trails for access. Both of these steps are important. It doesn’t matter if you have the best logging you possibly could in place if you never review what the logging captures. It’s also important that you only log events that are important - otherwise, you end up logging too much information, driving up the cost of log analysis, and lessening its value.
Access Control. Finally, if you have sensitive data of any kind, make sure access is only granted to those authorized to view the information.
We use all of these controls today except for the first two. Most organizations aren’t even aware that you can take this kind of approach to sensitive data storage, but they’re certainly two principles you should keep in your back pocket for the next time you’re dealing with sensitive data storage.