Where To Find Guidance In Following All The Guidelines
Organizations are increasingly faced with the challenge of remaining compliant with the myriad of government policies and industry guidelines in the protection of consumer/personal information.
These mandates, especially important to credit unions, are dictating a more data-centric approach to securing consumer information, and include NCUA published rules and regulations for Federal Credit Unions. Part 748 of the NCUA guidelines provides a very clear charter: protect member data. What isn't so clear is how credit unions should address these guidelines, particularly in times like these in which a new security threat seems to create headlines each day.
Passed in 2001, Part 748's guidelines mandate that credit unions develop an information security program with the following objectives:
"Ensure the security and confidentiality of member information; protect against any anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any member."
Since these guidelines were first passed, the threats to member data-and corresponding steps credit unions need to take to meet these guidelines-have changed significantly.
In the past, credit unions have largely been able to address these requirements by building a strong network security perimeter through the use of firewalls, intrusion-detection systems and the like. But the nature of today's security threats require a new approach to security.
As evidence of these new threats, Gartner Research reports that 75% of external-based attacks are tunneling through applications-and so go undetected by a range of perimeter security mechanisms. Even with a fortified network perimeter, storage systems can be breached via insecure storage management interfaces and physical storage systems, leaving data in the databases and applications vulnerable to attack.
In their efforts to address these changing dynamics, and to remain compliant with 748, credit unions are beginning to look to a more data-centric approach to ensuring data privacy-undertaking the process of selecting and securing critical data inside the enterprise.
Encrypting data housed inside the corporate web, and application and database servers is one of the central aspects to achieving data privacy. It can be employed to effectively protect sensitive information so that even if a system is breached, any encrypted data will be unusable. Given the dynamics above, this is becoming a critical next step in securing sensitive member data.
However, encrypting data in an organization can create a great deal of complexity-and if it isn't done right, it will not adequately address fundamental security gaps.
Following is an overview of some of the key issues credit unions should consider when undertaking a data privacy initiative.
Identifying, Classifying, and Charting Access
Data classification is an important element of achieving data privacy. Following are a few of the first key steps in the process:
Identification and classification of sensitive data. Develop a scheme for classifying data to help identify which information within the enterprise will need to be addressed.
Determine where all identified sensitive data is located.
Organizations need to determine which applications, databases, storage subsystems, and backup media manipulate and store critical information.
Determine data access models. This process includes identifying how applications, users, and processes access the data. The ultimate goal is to identify different points of integration for a data privacy solution that provides the highest level of security with the most ease of integration.
Define Security Policy Around Identified Data
Once the data identification and classification process is complete, managers can begin to develop a security policy around the appropriate data. Most security minded organizations have a recommended process for developing security policies, and while we strongly encourage companies to leverage existing policies and guidelines, it is important to, at a minimum, achieve the following objectives when defining a security policy around data privacy.
Acceptable Threat Level. While most organizations want maximum security for their sensitive data, there will be people and processes that ultimately must access sensitive data in the clear. It is important to realize that deploying a data privacy solution can range from simple to complex depending on the level of threat that is deemed acceptable. Consequently, determining the acceptable level of threat within an enterprise is a function not only of security policy, but resources available for implementation.
Authentication and Authorization Policies. Develop an authentication and authorization policy that leverages best practices and historical information to help determine which users, processes, and applications have access to sensitive information.
Compliance Measures. Understand and interpret measures that are driving requirements for data privacy. In addition to NCUA 748, there are many regional and legislative compliance initiatives that may make an impact on today's credit union.
Security administrators should identify the legislative measures that apply to their specific organization, review the actual laws/language with the assistance of a legal team to grasp legal exposure, and, once an acceptable threat model is agreed upon among business and legal entities, translate those legislative requirements into technical requirements that can be clearly understood by the technical team.
It is also essential to clearly understand the difference between meeting legislative compliance measures and delivering true data privacy, which will often effect varying requirements.
Other Considerations Across The Enterprise
Ensure involvement across all core technology areas. Leveraging encryption as a means of securing data can affect technology groups across the enterprise.
As a result, it is essential that this effort involve all core technology areas, including network, IT, security, development, database, and storage.
Leverage a centralized model to increase ROI. When considering a data privacy solution, it is critical to consider the centralization of many of the fundamental building blocks of data privacy, including encryption, key management, logging and auditing, and authentication and authorization.
Doing so will help deliver a scalable solution, reduce the cost of management, increase security, and allow for faster responses to security attacks.
Understand and minimize performance impact. Encrypting data can have significant performance implications.
Given this, administrators should review the infrastructure and systems in advance to see if there are points that can be optimized to offset performance impacts, offload encryption to specialized hardware where possible, and encrypt only the data that requires this level of security.
Anticipate and plan for necessary changes. In today's complex enterprise environments, it is important to anticipate and plan for the changes that will be required as a result of encryption of critical data. Some of these changes include data size and type changes when encrypting data, potential additional storage requirements as some encryption may result in larger data segments, and changes to business logic to adapt to the impact of encryption.
Karim Toubba is vice president of product management and marketing at Ingrian Networks. He can be reached at ktoubba