January 23, 2008

Achieving Information Security: Prevention (1 of 3)

The most valuable asset of most organizations is the information they hold. Whether it be top secret design plans for their next product, accounting information about future company acquisitions, or the personal information of your clients and employees. A breach in the security that protects these assets can and has resulted in companies going bankrupt due to loss of client confidence, law suits, and loss of competitive edge. There are three parts to achieving information security; they are Prevention, Detection and Response.

As the saying goes, an ounce of prevention is worth a pound of cure, and that is no different in the IT world. Preventing unauthorized users from gaining access to your confidential data should be priority one. There are several things that can and must be done to prevent unauthorized access to data. Not only do you need to consider digital security (passwords, user names, file permissions, etc) but also physical security.

Physical Security:
Physical security is often overlooked when we think about protecting information held on a computer, but the truth is, if somone gains physical access to your file server, they now own your data. So making sure you keep your server is protected and secured area is very important. Servers and data backups should be kept under lock and key at all times. Ideally you want a room with controlled access that is monitored electronically and by a human. Because a secure environment like this is not always available at your office, many companies choose to use data centers to house their servers. Data centers not only provide a great deal of security, but they can provide redundant power as well as fire suppression to protect your equipment. The level of security at data centers will vary based on the center you are working with, but most are very good.

For example, the data center I have used for clients in the past included the following security:

  • Biometric Palm Scanner + pin to get into the main door
  • Sign in with a security guard as you pass though the first set of doors (they check ID)
  • You go to your designated locker (they watch to be sure you are only near your lockers)
  • Key lock AND combination lock on the server rack doors.
  • Roaming security guard as well as CC security cameras.
  • After hours, before you could even enter the building, you had to be buzzed in by security
Now this may seem excessive, and it might be over kill depending on your business, but we dealt with accountants, lawyers, doctors, DOD contractors and other professions that data security was considered top priority. So it will be up to you to find a proper solution that matches the value of your data.

Digital Security:
Once you have a good physically secure location picked out and set up, you need to protect you data from people coming at it over the wire, and not through the doors. The method to which you choose to protect your data will again vary based on how valuable that data is, and it will be up to you to decide how much protection is enough. Your goal here is to make your data secure enough so those who aren't supposed to have can't, but those who need it can get it without too much trouble.

One of the easiest way to protect files in a windows domain environment, is by adding permissions to them. Not only can you select who has access to files, but you can choose what kind of access to the file they have. In some cases, many people may need to read a file, but only 1 or 2 need to be able to make changes to it, so you can give read permission to some and write or modify permissions to others. This allows a very customizable and secure security scheme. More information about windows Permissions can be found HERE.

File and folder permissions are great, but one of the major flaws in that type of set up is that the computer will assume anyone logged in as a user is indeed that person. So if Joe happens to know Susan's password and logs in as her, or Susan leaves her computer logged in and Joe sits at her desk, Joe will now have Susan's file permissions. So what we need here is called User Authentication. Essentially, user authentication is a way for a computer to verify who is actually sitting at the keyboard. The most common way to do this is via a Username/Password combination. More advanced and more secure ways include using Biometrics (fingerprints, palm prints, facial recognition) or a SmartCard. Many times people will use these different types of security in conjunction with each other (this is called multi-factor authentication) So like at my old data center, we used both Biometrics as well as a password (or PIN). This is a very common set up and the reason is it required not only two type of authentication, but two different types. So I needed something physically (my palm print) as well as something I knew (my pin). It might be easy for someone to steal a password or pin...but stealing a fingerprint or palm print is a lot more difficult.

Once you have your file security in place, you are pretty close so having a good security set up, but there is one last but very important piece of security that is constantly overlooked; The human element. In order to have any level of data security, you need to educate your staff on how to keep data secure. Employees need to know what data can be passed on to the public, what can be given to other employees or other departments and what must remain a secret or not be passed around. If you don't tell them, they wont know and the likelihood of an accidental breach is pretty big. A common way to keep track of what information can be given to different people is by giving different data a different level of clearance. For instance, in the military, and many large companies, they may label document confidential, secret, or top secret. Based on those designations, staff know that only people with top secret clearance can have access to top secret documents. Similarly, you may label some documents for "full public disclosure" where the data can be given out freely (this could be something like the phone number for the main office or a branch office) or "limited public disclosure" to control press releases and public announcements that can only be given with special permission.

Once you are able to control physical access, digital access, and are able to teach your employees on the proper way to handle data, you are well on your way to achieving a good level of information security.

Bookmark this post:
StumpleUpon DiggIt! Del.icio.us Yahoo Technorati Reddit Google