What is the Price of Data Protection?
By Bill Burke
Everyone has heard or followed the stories about phishing, data collection, hacker intrusion, data carelessness, virus attacks, denial of service attacks, employee data pilfering and the myriad of other ways data “escapes.”
It is the responsibility of every person who uses, manages, collects and distributes data for personal or company use to guard that data from “escaping.” Likewise, the process of finding and using data must not be so cumbersome that everyone keeps their personal copy of the data and clogs their desk with mounds of paperwork or proliferates data throughout their company on desktops, servers or storage arrays.
There are many facets or activities that must be planned to allow reasonable access and provide adequate protection of the information. It seems like the individual who has a home office would have the easiest time in protecting the data of their clients. But not everyone has multiple computers in their household to isolate the use of a system exclusively for spouses, friends, and children.
A similar situation occurs in a small office where there is lots of data sharing; thought and effort needs to be carefully exercised to limit its visibility. Similarly, a small company usually has a culture of sharing and collaboration, but thought, planning and execution for sharing / protecting data is essential to limit the exposure of sensitive data.
The entire approach to data security must become an inherent focus of anyone who has access to sensitive data. The process is an iterative one, starting with planning a protection method, implementing the planned protection scheme, enforcing it and accepting that the process needs to be reviewed and adjusting the process continually.
Let’s look at what must occur in a single person office where there is one computer in the home office which has some method of connection to the internet. Personal computer systems usually come with some force of virus protection and may include a security envelope of programs for data and connectivity protection.
For example, an insurance agent needs to have quite a bit of personal information to make the necessary recommendation to write a policy for life, home, or auto insurance. And if this data is cavalierly left lying around or a desk or computer, inadvertent eyes will likely peruse it. While usually there is no malicious thought to the oversight, the information can find its way to being abused.
Focusing on the internet connection method usually means acquiring some form of broadband or dial-up connection. The dial-up connection seems to be the easiest to manage since the dial-up providers usually provide a level of isolation from the internet that includes a virus scanner, pop-up blocker, and internet scanner. This software suite of protection programs usually requires the usage program to be downloaded and installed on the individual’s computer. Even getting these programs installed and configured to automatically update can require a level of expertise that a user does not have. Small, local computer support companies as well as large nationwide firms are available for a nominal charge to configure these protection programs. Even in a single user environment, the user must be held responsible to maintain their subscription to the service and learn enough to keep their protection programs updated.
If the computer is shared thought should be given to insulating / isolating the confidential data from the other users. An easy way to accomplish this is to add an additional hard disk and maintain a second operating system within the single computer. The business person should be the only one accessing the confidential data while all the other users would use the alternate drive for their web browsing, internet messaging, online game playing, music downloads, etc. The business user may also use this additional hard drive for their personal activities, thereby ensuring that the business data storage is not connected to the personal data storage for any user.
The security approach to this is easily implemented. The login account for the business hard disk and its operating system should not exist on the personal hard disk for personal use and vice versa. This sounds easy to do – and it is – but it needs to be done. The plan to do this and the act of actually doing it requires a little bit of money but more than the expense, the time and effort must be expended to actually implement and maintain the data and program separations.
A multi-computer household needs to be even more vigilant. All the computers need to be updated and kept current for data protection and for user separation. The major software vendors will gladly supply a multi-license pack for the protection programs; some service providers include this capability in their products for no additional charge. A broadband-based house has both attributes – it should be easier to connect and yet can be more difficult to manage. Connections are provided with DSL and its varying forms, cable, satellite, FIOS, wireless, etc. The common thread among these is that besides the speed increase compared to dial-up, these connections almost always involve a router, which provides features such as IP masking, firewall, DMZ "Demilitarized Zone" capabilities, even rudimentary virus and worm propagation.
The unfortunate side-effect of this connection method is that infection by Trojans, virus, cookies (no not chocolate chip or macadamia nut varieties) trackers happen instantaneously. Care must be exercised prior to initially installing this system into the broadband connection or network. Offline installation of the previously mentioned virus, pop-up blocker and internet security suite must occur in advance, and maintenance of these applications is essential.
Wireless connectivity creates an unfortunate chasm, since wireless is now prevalent on all laptops. Wireless connectivity is a port open to all manner of intrusions. Local wireless networks should at least be WEP-enabled "Wired Equivalent Privacy". More stringent restrictions would include specific MAC restrictions which would limit network access to specific, known hardware addresses.
In the end, some simple vigilance and awareness of how data access can be limited and protected from prying eyes will require the individual home office user to take steps without great expense.
Next time, I will expand on the this topic but focus on the small company and how these steps and additional preventive measures can become a key to protecting everyone’s personal data, as well as corporate data.
About the Author
Bill Burke is the Enterprise Architect for Wilmington Trust Company in Wilmington, DE. Bill has been with Wilmington Trust since 1994 and in that time had guided the corporation in open systems planning and implementation, and in the development and execution of its strategic technical directions. Bill engineered the company’s transition from a DOS/Windows/Novell environment to a Windows 2003 Active Directory environment for all servers, desktops and databases. The technical environment has dramatically shifted until Bill’s leadership to an extensive multi-tier infrastructure – mainframe, server, application and web; he is also deeply involved in all aspects of information systems security, including data security.
Prior to joining Wilmington Trust, Bill worked at NBC in Burbank, CA implementing a Windows and client-server database environment. With over 25 years in various phases of computing including real-time instrumentation; nuclear system monitoring and design; optical instrumentation, database design and optimization; and operating and network systems design, implementation, security and support, Bill continues to have avid interest in personal and business computing.
Bill has a bachelor’s degree in Electrical Engineering from Drexel University; he is a Microsoft Certified Systems Engineer and Internet Engineer and he holds SAN certification.
Personally, Bill enjoys raising his son with his wife in Delaware along with reading, traveling, doing home projects and working towards a black belt in karate. Bill can be reached at BillBurke@aol.com