Q&A: The Changing Data Security Landscape (Part 1 of 2)

A data management expert and a security expert discuss issues created by the increasing sophistication of data thieves, and the lack of adequate attention to security among data managers. First in a two-part series.

"As data warehousing designers, our focus is not on protecting data, but on exposing it," points out data management expert David Loshin. Growing threats to data security are bringing that approach into question, as Loshin, along with security expert Wasim Ahmad of Voltage Security, explain in this interview on data security, the first of two parts. In this segment, we focus on how security threats have changed, growing incidents of data breaches, and why data in transit is particularly vulnerable.

A consultant and thought leader in BI, data quality, and master data management, Loshin is president of Knowledge Integrity, Inc. He is the author of numerous articles and books on data management, including the best-selling Master Data Management; his most recent book is Practitioner's Guide to Data Quality Improvement. Loshin is a frequent speaker at conferences and other events; he discussed data security issues in a TDWI Webinar on July 20 with Wasim Ahmad, Data Protection and Security: Considerations, Compliance, and Best Practices.

Ahmad is vice president of marketing for Voltage Security; he has over 19 years of experience in enterprise software, application development, and business intelligence, including management positions at CA, Sterling Software, and Synon.

BI This Week: Just how widespread and challenging are data breaches?

David Loshin: The incidence of data breaches appears to be continuous; in fact, it's seemingly skyrocketing. However, that may be due more to a combination of laws and regulations that demand breach notification, combined with public outrage over the many breaches of trust.

That said, data breaches are everywhere in every industry in a multitude of ways. I just read an article specifically about healthcare data breaches that described incidents ranging from external hackers stealing data, to backup discs stolen from someone's house, to hard drives left in vehicles that were then stolen, to incorrectly attributing characteristics to electronic data. There are external thefts, there are internal issues, and then there are simply cases where people are inattentive in applying the right kinds of controls. If you look at some of the cases we've seen over the past couple of months, you'll see millions and millions of exposures of information. It's insidious.

That sets the stage well for our discussion. Why are data breaches increasing despite increased security? Why aren't traditional security approaches working?

David Loshin: There are too many holes in the framework, basically, and the typical controls address only one dimension of exposure, which is controlling access. If that line of defense is insufficient, the absence of any other barriers to exposure means easy pickins'. The bad guys are very good at what they do, whether through inside connections, social engineering, or old-fashioned hacking.

Wasim Ahmad: One of the dynamics in play here is organized crime. Even in the face of the sorts of facts that David shared, most people still have a romantic view of hackers as bored kids trying to have fun. That certainly happens, and the rise of "script kiddies," as they're often called, is an example of that. Scripts -- or instructions on how to conduct a hack -- may be widely available on the Internet. Young people sometimes find those, then go off and explore. However, [for those sorts of attempts,] there are typically many, many security solutions available. Because the hacking information is widely available, there are often countermeasures to block that activity, which typically isn't super-sophisticated.

However, what we're seeing today as the real danger is organized groups of individuals targeting companies. They're targeting individuals. They're targeting specific segments of industry. This is a multimillion-dollar, perhaps multi-billion-dollar industry. I don't think people realize that.

To answer your second question, which is why data breaches are increasing despite the security, here's the challenge: These hackers are very, very sophisticated. They're ingenious. Nothing really stops them. If they're blocked, if they face an obstacle, they'll figure a way around it. It can be anything from finding an open Wi-Fi access point -- which happens less frequently now than it did a few years ago -- to paying the office janitorial service to check underneath keyboards for passwords.

Earlier this year, one of the more interesting methods that hackers found for getting into an organization was randomly dropping USB sticks in the parking lot. They relied on someone in the organization finding one, picking it up, and out of curiosity, plugging it into a laptop computer on the network, thus unleashing malware.

Clearly, they'll find ways of getting in, and once in, they're able to kind of bypass many of the security measures that IT puts in place. Once they're inside the system, unfortunately, they have access to pretty much anything that they want.

This is the conundrum for companies spending millions of dollars on security solutions. They make sure they put many kinds of perimeter security solutions in place to prevent bad people getting in. However, too often it's based around the concept of "once you're in, you're trusted." Insiders have access to whatever they need. The fundamental problem is the model people are using to design and build their security solutions.

So a much better approach is to focus on the data itself?

Wasim Ahmad: Right. However, that brings up another issue. Very often, IT will have security mechanisms in place to prevent access to certain types of data. For example, a user needs authorization to access a particular database or server. Even those systems, however, aren't difficult to get around. That's because many people architect their systems in such a way that information might be encrypted in one place, or protected on a particular server, but when it's moving, or when it's being used in a different area, it's no longer protected.

Lots of the malware out there is really just sitting quietly in the network, waiting for something interesting, like a set of packets that might represent a credit card number, and grabbing those. They don't need access to the actual server where the data might be stored; they just need access to the pipes that connect that data to something else. That's how well-known breaches such as TJX and Heartland and a whole score more happened. All they need is a gap in the security of the data.

David Loshin: That's right. As we're using data more and more, just as Wasim said, more and more data is showing up as accessible because access control covers only one dimension. If that's insufficient, and if you don't have other barriers, then as soon as somebody is inside your system, they're in.

David, you made an interesting point in the Webinar -- that security tends to be an afterthought in data warehouse design in general. Why is that? Do you see that changing?

David Loshin: I would say that it's particularly true in data warehousing because as designers, our focus is not on hoarding or protecting data. It's on exposing it, right? It's finding data sources, extracting the data, integrating it, consolidating it, aggregating it, storing it in a data warehouse, storing it in operational data storage, doing change data capture, and so forth. You're always moving data from one point to another point, generating reports and exposing it for analysis. Generally in the data warehousing and business intelligence space, we're about publishing information, not necessarily protecting information.

In fact, most of the engineers and designers of these systems may not even be aware of the characteristics of data protection, let alone some of the philosophical issues about data protection. For example, if you've got data that you're able to expose that is linked to protected data, it essentially infects the open data, so that data needs to be protected as well.

From some of my experiences working in government areas in which data integration is taking place, they're well aware of these issues, especially on the legal side, and they enforce rules. In general, however, if you're just poking around in an organization, they don't get it.

Another issue is what I refer to as "exposure by inference," in which there are facts that are supposed to be protected but become exposed. That's not because somebody found them and published them, but because you could infer them as an analytical result or as a result of some consolidation process.

I'll give an example. A long time ago, I was working for a company doing data mining, analyzing different types of transactions from different sources. Some were detailed records; some were delivery records; some were other types of records. One of the things we found was an individual who was ordering lingerie but having it delivered to a person who was not that individual's wife. By combining data from different sources, we somewhat accidentally exposed something that individual probably wanted to retain a level of privacy about. That's exposure by inference.

Regarding whether I see things changing, I would say the fact that TDWI recently allocated time in a Webinar for us to discuss these issues means there is at least some level of awareness that it's important for our community to learn more about instituting data security where it's necessary.