The dangers facing data on the move

FEATURE

The dangers facing data on the move Tracey Caldwell, freelance journalist

Tracey Caldwell

Data on the move is vulnerable, as the usual security measures may not apply. Yet 95% of organisations move data around at least once a year, and 44% move data more than five times per year, according to recent research by Varonis.1 Organisations are generating more and more data and are looking creatively at how to handle and store it. Some organisations are moving at least some of their data to the cloud. Merger and Acquisition (M&A) activity and departmental mergers are also driving data migration. And often this move is done on the cheap as organisations look to achieve savings.

“Once the data has been moved, there may also be an erroneous expectation that it has been erased securely from its original location” Despite the fact that data is so commonly on the move, 96% of respondents to the Varonis survey reported concerns when performing data migrations. These concerns revolved around maintaining availability, determining which data were needed (stale or active), determining data ownership, and maintaining or translating correct access controls. Ryan Rubin, director of security and privacy at Protiviti, outlines the security and fraud risks that may occur during a data migration process: “These include exposure to the data during the data transmission, privacy risks associated with the data itself, ‘data at rest’ risks while the data is relocated and then used in the new environment, data legacy/retention risks – whether it is being adequately removed from the old environment – and data mobility risks.”

December 2012

Moving data out of one system or company, and into another creates opportunities for data compromises to occur, as there may be an opportunity to bypass existing data security and privacy controls, Rubin points out. For example, data being migrated from one database to another may result in the data being exported out of the database, where database security controls are in place, and onto a large file. This file could be temporarily stored on an external hard drive or network drive without any appropriate access controls, or transported over a network link to the target system without appropriate encryption, exposing the data being migrated. Once the data has been moved, there may also be an erroneous expectation that it has been erased securely from its original location and

Ryan Rubin, Protiviti: “Proper due diligence is required to ensure that privacy requirements and expectations continue to be met”.

that all media associated with the data have been appropriately cleaned.

M&A risks M&As carry their own risks. “Data captured in one company may have specific rules and processes around it that govern the acceptable use of this data,” says Rubin. “As it moves from one company to another, proper due diligence is required to ensure that privacy requirements and expectations continue to be met.” These issues could include the location the data resides in (eg, transferring data out of EU jurisdiction), the expected security control measures (defined in previous contracts) and/or the explicit permission given to make use of the data itself – perhaps where customers gave permission for one company to use their private data for a specific purpose, but not the new entity once the merger or acquisition is completed. Ralph Baxter, CEO of ClusterSeven, believes the integration, or separation during demerger, of different business units and their data systems is one of the most difficult parts of the data management equation: “The eagerness to collate or separate multiple sets of data sources, and associated transformation processes, means that the risks are heightened, and failure to put reliable safety nets in place can undermine the entire post-deal process.” The traditional perception of M&A data migration is typically that it is a ‘one-off ’ substantial data transfer from database A to database B. The reality is much more piecemeal.

Computer Fraud & Security

5

FEATURE data at a time, for a variety of reasons, including infrastructure upgrades and organisational changes such as mergers and acquisitions, according to Varonis. Only 35% of those surveyed reported that they were very confident that sensitive data would only be accessible to the right people during a migration. Yet only 26% take the time to optimise permissions during a move, and just 21% of organisations make sure that folders and SharePoint sites are safe from global access groups. Varonis has also found that organisations most commonly move data from one file server to another one, or to a Network Attached Storage (NAS) system (80%), between domains (44%), and from file shares to SharePoint (40%).

The reasons why organisations migrate data. Source: Varonis.

“An immediate and continuing need for data migration post-deal is the successful operational transfer from data source to spreadsheet or simply between spreadsheets,” says Baxter. “This form of data migration is one that takes place on a rolling basis. In this case, we see data taken from database A and database B, placed into a spreadsheet and analysed to create database C. This system is significantly more open to manipulation due to the fact that it tends to be a ‘low level’ – ie, repeated activity with few controls.”

“There is a clear temptation to take short cuts and temporarily suspend data security policies” M&A activity and departmental mergers within large enterprises often result in large data migration projects. Business pressures often dictate this is done quickly and cheaply. In these situations, there is a clear temptation to take short cuts and temporarily suspend data security policies but Chris Wysopal, 6

Computer Fraud & Security

CTO and CISO at Veracode, cautions against this. “Instead, design the data migration plan with security in mind, which includes three core areas,” he says. “First, protect the data in transport and once it’s loaded into the new data repository, with appropriate encryption techniques and access permissions. Second, determine if the data needs to comply with any regulations regarding retention, backup and access auditing, and make sure those controls are tested and in place in the new repository. Third, assess the security of the applications that will ultimately allow legitimate access to that data repository.” He adds: “As today’s news headlines attest, the latest generation of attackers are stealing data by hacking the applications, not the network. The reality is, doing secure data migration right takes time and money, but it will be time and money well spent.”

Data destinations Two-thirds of organisations report that they usually move more than 1TB of

“Shipping a device may mean that a third party is involved; who are they and do you trust them not to lose or compromise the data?” Mark Thomas, solutions architect at Databarracks, believes that moving data internally doesn’t normally pose any problems as clients control all aspects of the source and destination. However, migrating data to a third party can prove a significant risk whichever of the two ways of getting data from A to B is selected. If there is a small amount of data or the enterprise can allow a long time for delivery, enterprises can send it over the wire to the endpoint. Alternatively, if there is a large amount of data and less time to migrate it, another option is to ship the data via a physical device to its destination. There are risks associated with both methods. Thomas says there are a number of questions that need to be asked. “If you plan to ship data on a physical device, what is the device and who is carrying it?” he says. “USB drives are now capable of carrying a large amount of data and yet small enough to put in a laptop bag. The very nature of USBs means they can be plugged into just about any computer December 2012

FEATURE device. Hence, data on USBs should always be encrypted to ensure that no unauthorised browsing can take place. Shipping a device may mean that a third party is involved; who are they and do you trust them not to lose or compromise the data? Determine what tracking is available for the data being moved. Again, encryption of data in transit is vital.” Shipping large devices, such as Storage Area Networks (SANs), poses significant risk because of the greater difficulty of encrypting the data. Thomas cautions enterprises to ensure that disks can’t be removed from the SAN, as this could lead to data theft, which wouldn’t be immediately noticeable. Migrating data through a WAN connection also raises queries. “Standard policies for SSL VPN between source and destination can stop public transmission but who owns the end points?” asks Thomas.

Migrating into the cloud Many companies are moving data to the cloud to take advantage of its scalability and ‘pay as you go’ applications. Cloud allows a fast way of merging and migrating data during an M&A, as an alternative to the complexities of integrating the systems and IT teams of the two companies involved. Richard Olver, director of EMEA at CipherCloud, says: “There are substantial market pressures on a divested or acquired business to cut the apron strings, thus cloud represents a fast way to migrate core technology platforms. With this haste however, IT security and data privacy personnel aren’t always involved, or are brought in too late. This is not just a security concern, but brings data privacy, residency and compliance issues that could result in regulatory fines in the millions of pounds. Ultimately, the end result could delay the migration and the benefit that cloud promises.” Recent guidance on cloud computing issued by the ICO (Information

December 2012

The amount of data organisations move during migration projects. Source: Varonis.

Commissioners Office) has made it very clear that organisations can outsource responsibility for managing cloud data, but they can’t outsource accountability. Ultimately the companies that own the data remain responsible for securing it and must address a number of vulnerabilities inherent in a migration to the cloud. Mark Heathcote, practice director at independent IT and business change professional services firm Xceed Group, highlights the risks to data confidentiality. “Data categorisations such as ‘confidential’, ‘highly confidential’, ‘public’, ‘personal’ etc may not be taken into account during the migration process, and categorisation models and hence security can be broken,” he says. “This in itself can introduce legislative compliance issues.”

“Levels of security in both public and private clouds can vary considerably from one another, and from the levels applied for on-premise services” The use of staging or data translation technology as a middleman for transfer could, at least temporarily, remove

all access restrictions and expose confidential data to the project team.

Choosing suppliers As Olver points out: “In most of the world’s cloud applications, data is stored in the clear, in an unencrypted format, which is exceptionally risky. Too often organisations simply trust that their cloud provider has addressed this issue adequately, but that’s rarely the case. Organisations need to get their IT security and compliance teams involved early, and ensure that their sensitive cloud data is encrypted, and that the organisation retains control of the encryption keys.” Analyst firm IDC is of the view that about 30% of suppliers in the cloud market in August 2012 will be out of business by 2015 as it is a relatively new market with many players entering and leaving the playing field. IDC stresses it is imperative for CIOs to ensure due diligence when selecting a cloud service provider. Levels of security in both public and private clouds can vary considerably from one another, and from the levels applied for on-premise services. “Varied adoption levels of cloud technology

Computer Fraud & Security

7

FEATURE

Ralph Baxter, ClusterSeven: “The eagerness to collate or separate multiple sets of data sources means that the risks are heightened”.

have resulted in a lack of cloud security standards across the industry,” says Chris Jenkins, line of business manager for security solutions at Dimension Data UK. “This means enterprises looking to migrate data to the cloud must adopt a more holistic approach that assesses and aligns security needs across the business, as well as adheres to any specific regulations or compliance that might be required for the industry that they operate in,” he says. “This type of approach ensures all data is secured and hosted appropriately, whether on-premise or in the cloud.”

“Enabling people to work remotely means accessing the cloud from devices outside of the corporate security perimeter and potentially outside of corporate IT control” This means balancing cost savings against the risk of data breaches caused by an unsecure cloud provider. John Green, CTO at Prolinx, says IT decision makers need to be sure that external companies can be trusted and have all the right security accreditations in place so that data integrity is maintained at all times. He points out that it is not often fraud that is the biggest concern but rather the 8

Computer Fraud & Security

loss of information or a breach in security that causes a loss of information. He adds: “It is also important to keep in mind that, if there are any doubts about data integrity, there are solutions available which can provide companies with a comparison of what their data looked like pre- and post-migration. These solutions can help IT departments to identify data breaches and stop fraud or security risks before they happen.” Plans to secure data migration into the cloud should also include consideration of how to get the data out again securely. The Data Liberation Front is an engineering team at Google whose goal is to make it easier for users to move their data in and out of Google cloud products.2 Its website states: “We always encourage people to ask these three questions before starting to use a product that will store their data: can I get my data out in an open, interoperable, portable format? How much is it going to cost to get my data out? How much of my time is it going to take to get my data out?” Cloudreach supplies Google Apps for businesses. Pontus Noren, director and co-founder of Cloudreach, points out: “We have been asked on a number of occasions during Google Apps migrations, to help the company create an exit plan. They want to know how to do it and how long it takes.”

BYOD Once an enterprise has migrated its data to the cloud and is confident that it is now stored securely, the job of securing that data is just beginning. Data safely migrated to the cloud has just started a journey that may well see it on the move again, shared among multiple employee devices as organisations tap into the benefits of the Bring Your Own Device (BYOD) trend. “Enabling people to work remotely means accessing the cloud from devices outside of the corporate security perimeter and potentially outside of corporate IT control,” points out

John Thielens, Axway: “Businesses need to ensure they are investing in their workforce”.

David Bailey, director, cyber security at BAE Systems Detica. “The cloud has to be treated as part of a company’s overall information estate and the same balanced view of cyber-risk still needs to be applied. Should sensitive data or intellectual property be encrypted if it is stored in the cloud, or even kept on a more secure system entirely?” One of the biggest risk factors around data migration to the cloud is the lack of expertise in the workforce, according to John Thielens, chief security officer, Axway. “There is already a pervading fear among organisations that human error will compromise the security of data within the company. This fear is heightened when the advanced equipment needed for managing cloud migration projects comes into the equation,” he says. “Businesses need to ensure they are investing in their workforce, equipping them with the skills needed to understand and access the Application Programming Interface (API) and how to perform thorough security analysis and testing. He adds: “Bring your own device is becoming more common in businesses. However, it requires a tight rein. Not knowing where your data is, how it is being accessed, and by whom, are the biggest barriers for migrating data to the cloud. BYOD needs proper security policies in place to give businesses endto-end visibility of data transactions.

December 2012

FEATURE Moreover, with new gadgets constantly hitting the market, organisations need to keep innovating so that they can implement the latest tech into their business and support the right people at the right time.”

Testing, testing A good starting point for any data migration is to ensure that data is backed up securely and then to create a test environment for a dummy run of the migration. “A test environment will allow stress testing at transaction level to show the integrity of the new environment,” says Gurdip Sohal, sales director at Covenco Recovery Services. “It would then migrate after validation of the complete data set, and be robust enough to run the business if any errors were to occur during the process.” In reality, time constraints, cost and staff resources mean this doesn’t always

occur and most organisations will opt for a ‘big bang’ or phased migration. A big bang migration will usually involve a full system shutdown over a period of at least a few hours and it may be difficult to assess the implications of extended downtime of core systems to data security. A phased migration, with old and new systems running in parallel carries its own risks around control and duplication of data.

Plan ahead For businesses, migrating huge volumes of structured and unstructured data to the cloud quickly and maintaining it there securely can be a very complex proposition and demands a strategic integration plan for the migration of the data that takes into account both the business and the security and compliance context of the data. In the case of M&As in particular, this might call for a third party consultant to take a holistic view of the business.

The complexities have increased as individual functions, such as application groups, and initiatives such as virtualisation, security and the cloud have progressed separately, each designing and deploying systems that meet their specific project goals and budget but are often unaligned and in conflict with each other, points out Sam Cattle, security practice lead at GlassHouse.

“The fundamental underlying benefits of moving to the cloud also create problems by the nature of their simplicity” “The complexities create a myriad of risks, vulnerabilities and inefficiencies for organisations to consider,” he says. “In addition to these complexities, the fundamental underlying benefits of moving to the cloud, including self-service provisioning and service catalogues, also create problems by the

The data dozen – best practices for migration These best practices are taken from the Information Security Forum (ISF) Standard of Good Practice: 1. Information security requirements should be considered at all stages throughout the relationship with external suppliers, with the objective of protecting critical and sensitive information when being handled by external suppliers or when being transmitted between the organisation and the supplier. 2. Treat this as any other outsourcing project. Have a defined contract/ SLA in place before any work on the migration is carried out. 3. Before the migration starts, the organisation should classify its information, which is used to determine varying levels of confidentiality of information (eg, top secret, company-in-confidence and public) and provide a description

December 2012

4.

5.

6.

7.

of each level of confidentiality, and takes into account the potential business impact from the loss of confidentiality of information. This classification should drive the information security controls deployed for the migration, modified by the output of the next step. Conduct an information risk assessment for the migration, using this to identify additional controls over and above those associated with the classification of the information to be migrated. Check statutory (legal and regulatory) requirements relating to the information being migrated. Agree with the receiving organisation how data will be migrated and the controls to be in place before, during and after the migration. Nominate points of contact for the migration in all involved organisations

and ensure they have the authority and responsibility to manage the migration. 8. Agree access rights: state who will have access to the data before, during and after the migration. Log all access and review on a regular basis. 9. Ensure that a backup of the information to be migrated is taken before the process is started and agree a back-out plan. 10. Create a test plan to ensure the migration is successful; use random checks to test the integrity of the data after migration. 11. Agree how the contract is ended – what are the criteria for success or failure. Define the exit criteria and actions, along with responsibilities. 12. Create and agree an incident or problem management plan, test and then update it as the migration project proceeds.

Computer Fraud & Security

9

FEATURE nature of their simplicity. It becomes significantly easier for groups or individuals to deploy new servers or services, modify access to applications, alter how and where data resides.” He adds: “Thus, a second type of risk is introduced – that caused by well-intentioned groups that now have the capability to make rapid changes that may inadvertently undermine or bypass in-place security policies or safeguards.”

Conclusion Data migration does carry with it fraud and security issues. But addressing these need not be a drain on resources if the issue is approached as an opportunity to improve practice and revalue data – and the worth of those securing it. “Data migration can be an opportunity as it forces data owners to reassess the value of data and the effectiveness of IT security controls,”

says Peter Allwood, manager in Deloitte’s Enterprise Risk Services practice. While there are risks that need to be addressed, the risk remains relatively small. Databarracks’ Thomas points out: “Unless someone knows you are moving a specific set of data at a given time by a specific method to a specific site, it’s probably relatively small. The risk increases with the net worth of the data, the more profitable the data the higher the likelihood of an attempt to steal it. But really the biggest threat is not technology but the people involved.”

About the author Tracey Caldwell is a freelance business technology writer who writes regularly on security issues. She is editor of Biometric Technology Today, also published by Elsevier.

References 1. ‘Data on the Move’. Varonis, 2012. Accessed Nov 2012. www.varonis.

com/assets/reports/en/Data-on-theMove-Report-en.pdf. 2. Data Liberation home page. Accessed Nov 2012. www.dataliberation.org.

Resources UÊ iœÀ}ˆiÛ]ÊÆÊÞi˜}>À]Ê-ÆÊ>˜>]Ê-ÆÊ Anubhai, R; Boneh, D; Shmatikov, V. ‘Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software’. Accessed Nov 2012. www.cs.utexas. edu/~shmat/shmat_ccs12.pdf. UÊ iÀ˜>˜]Ê-ÆÊ>“LiÀÌ]Ê-ÆÊ"ÃÌÜ>`]Ê T; Shostack, A. ‘Uncover Security Design Flaws Using The STRIDE Approach’. Accessed Nov 2012. http://msdn.microsoft.com/en-us/ magazine/cc163519.aspx. UÊ ¼ ÊqÊ œÕ`Ê …>˜}i`Ê/Ê Forever and Will Now Do The Same for Businesses, says IDC’. 29 August 2012. Accessed Nov 2012. www.idc.com/getdoc. jsp?containerId=prAU23667012.

Contactless payment: curse or blessing? Calum Macleod

Calum MacLeod, Venafi When sensitive information is misused or compromised, organisations not only face monetary penalties but loss of customer trust and loyalty. As brand reputation is the retailers’ most valuable asset, it can be devastating – just ask TJ Maxx. But with the ways in which consumers pay continuously evolving, how do you keep up and remain secure? Retailers realise that customers have more shopping choices today in both online and physical storefronts and have adopted more integration in delivery of loyalty programmes, merchandising and marketing to attract and retain customers. Evolving payment technologies are the latest weapon that can be deployed in the battle for market share, giving retail merchants the freedom to craft the type 10

Computer Fraud & Security

of experience and relationship they want with their customers.

Easier ways to pay EMV smart cards, more commonly referred to as ‘chip and pin’, were introduced in the UK and Ireland in 2004 in an effort to tackle fraudulent transactions. While EMV technology

helped reduce crime at the tills, when it came to telephone, Internet and mail order purchases – known in the industry as Card Not Present (CNP) transactions – the fraud figures were still growing. In an effort to combat this trend, a three-digit number on the back of the card, below the magnetic stripe, was introduced. With many guises – the Card Security Code (CSC), Card Verification Data (CVD) or Card Verification Value (CVV or CVV2), to name just a few – is meant to afford the retailer and cardholder additional protection by ensuring December 2012