Blog

Archive for January, 2010

Providing Data Protection Solutions for your Customers

Saturday, January 30th, 2010

What do e-mail lists, business information, customer contact lists, employee records and financial information all suddenly have in common?

Answer: They are the Top 5 things stolen by employees after leaving a job, according to a recent survey conducted by the Ponemon Institute, a Tucson, Ariz.-based research group whose survey was reported on by The Washington Post.

This is an excerpt from the intro to Security from the Inside: Your Opportunity in the Information Protection and Control Market (IPC).The paper cites other alarming statistics like:

“Nearly 60 percent of employees who quit a job or were asked to leave over the last year stole some form of company data”

More important than the statistics on data breaches and information theft is the opportunity that the statistics create for service providers and independent consultants to deliver solutions to their customers. The Zecurion partner program is an ideal alliance that allows you to leverage the products and services of Zecurion to provide superior data protection solutions.

ZAPP!

Zecurion Advantage Partner Program

  • Dedicated Relationship Managers
  • Training and Sales Support
  • Review of Upcoming Products
  • World-Class Technical Support
  • Joint Marketing Campaigns
  • Events and Joint News Releases
  • Upsell Opportunities

Stop by Booth #2651 at the RSA Security Conference, in San Francisco March 1 – 5, to learn more about Zecurion products and the Zecurion Advantage Partner Program.

Tags: , ,
Posted in Data Storage Security, Events | 1 Comment »

State Laws Encourage Backup Encryption

Sunday, January 24th, 2010

I heard a rumor recently that Iron Mountain, a leading provider of offsite storage for backup data, was implementing a new policy that all customer data must be encrypted.

It makes sense. Unencrypted backup media seems to be an increasingly common source of data breaches. Chase Bank lost data on an unencrypted backup tape. Information Vaulting Services lost a backup tape from the state of Arkansas containing unencrypted personal information on over 800,000 individuals. A third-party storage vendor lost an unencrypted backup tape from Bank of New York Mellon with sensitive information from 4.5 million customers. The list goes on, and on, and on…..and on.

While the organization entrusted with the data–Chase Bank, the state of Arkansas, or Bank of New York Mellon in the cases cited above–ultimately must pay the price for the data breach, both in terms of the broken trust with customers and damaged reputation, as well as any fines, penalties, and the cost of notifying and protecting customers, the fact is that these losses also reflect poorly on the third-party organizations responsible for securely storing the backup media.

Organizations like Iron Mountain that provide offsite storage have no way of knowing what data is contained on the media it stores for its customers, nor whether or not that data is encrypted or protected in any way. A tape is a tape is a tape and they are all handled and treated the same. Granted, a company that exists to provide secure offsite storage for backup data should not lose its customer’s backup media, but it shouldn’t bear any additional responsibility for personal or sensitive information being compromised as a result.

It turns out that the rumor I heard was incorrect. I spoke with Iron Mountain and I was told that it does not require customers to encrypt backup data–although it does believe its a good idea and highly recommends that customers consider doing so.

Apparently, the rumor stems, at least in part, from laws enacted in Nevada and Massachusetts. Those state laws require that personal information that could lead to identity theft be protected–even on backup media. Iron Mountain may not require it, but Nevada and Massachusetts do require that organizations in those states, or that conduct business in those states and/or result in personal information from citizens of those states being retained, encrypt information on backup media.

Suffice it to say, its just a good idea. Data at rest should be encrypted whether it is stored on servers on your internal network, or backup media stored offsite with a third-party.

Tags: , , , , , , , ,
Posted in Data Storage Security, Security Breaches & Data Loss Incidents | 1 Comment »

A Safe Isn’t Safe When it Comes to Protecting Data

Tuesday, January 19th, 2010

It sounds like a good idea to provide some extra security for your backup data by storing the media in a locked safe. It is certainly better than storing the media in an unlocked drawer or on a shelf somewhere. But, if a thief simply takes the whole safe, as happened to Goodwill of Greater Grand Rapids in Michigan, the data is not really protected any more.

While it seems fair to assume that the thief expected to find money inside, the safe actually contained names, addresses, dates of birth, and Social Security numbers from thousands of Goodwill workers. Since the thief took the whole safe, it also seems fair to assume he or she had a plan for how to open it and extract its contents.

After that, it gets a little more difficult to speculate. According to Jill Wallace, VP of Community Relations for Goodwill, the official stance seems to be based on an assumption that the thief is simply too dumb to know what a backup tape is or how to find out what is stored on it. “Basically it would be impossible for an individual to even know what to do with that data or even how to open it up.”

I’ve worked with backup tapes. While they may not be your standard audio cassette tape, it is obvious that it is a tape. Contrary to Wallace’s sentiment that the data must be safe because the thief would be too clueless to use it, I think its reasonable to believe that the thief *would* know that its a data tape, and–especially after the disappointment of realizing there is no money in the safe–the thief would do everything possible to determine what *is* on the tapes and try to make lemonade from lemons by capitalizing on the data they contain.

According to the article from the Grand Rapids News Channel 3 Web site, “Goodwill of Greater Grand Rapids thought that personal data would be more secure if those tapes were not in a corporate office, but inside one of its stores. The organization has decided not to do that anymore.”

I think Goodwill missed the point and learned the wrong lesson. The location of the safe is not the problem–thieves are just as likely to break into the Goodwill corporate office and take the safe. The issue is that the data stored on the backup tapes–or any other media you might store your backup data on–should be encrypted so that the data is protected even if the storage container is breached.

Tags: , , , ,
Posted in Security Breaches & Data Loss Incidents | 2 Comments »

Protecting Your Fourth Amendment Rights in the Cloud

Monday, January 18th, 2010

It should not come as a surprise to learn that technology and digital data are evolving faster than the law can adapt. From copyright to privacy law, issues arise on a regular basis where existing laws and legal precedence simply don’t make sense in the context of electronic media and Internet communications.

The Fourth Amendment of the Constitution of the United States protects citizens against unreasonable search and seizure of property. Storing data in the cloud creates some gray area when applying  those Fourth Amendment rights, though. If a law enforcement agency has a probable justification to investigate the cloud storage provider and seize the servers they own, how does that impact your Fourth Amendment rights not to have *your* data on those servers seized?

A recent article on CNet explores the question of whether or not your Fourth Amendment rights are protected in the cloud. The article focuses on discussing a paper featured in the June 2009 edition of the Minnesota Law Review titled ”Defogging the Cloud: Applying Fourth Amendment Principles to Evolving Privacy Expectations in Cloud Computing.” In the paper, University of Minnesota Law School student David A. Couillard, provides a detailed and insightful analysis of the issues faced when applying the Fourth Amendment on the Internet.

In the paper, Couillard notes:

Hypothetically, if a briefcase is locked with a combination lock, the government could attempt to guess the combination until the briefcase unlocked; but because the briefcase is opaque, there is still a reasonable expectation of privacy in the unlocked container. In the context of virtual containers in the cloud…encryption is not simply a virtual lock and key; it is virtual opacity.

Basically, the fact that your data is stored in an encrypted state–even when stored on servers belonging to a third-party–implies an expectation of privacy.

Ultimately, Couillard suggests a legal framework that applies Fourth Amendment rights by treating data stored on with third-party providers the same as personal possessions kept in s storage unit, or valuables stored in a bank safe deposit box:

[T]he service provider has a copy of the keys to a user’s cloud “storage unit,” much like a landlord or storage locker owner has keys to a tenant’s space, a bank has the keys to a safe deposit box, and a postal carrier has the keys to a mailbox. Yet that does not give law enforcement the authority to use those third parties as a means to enter a private space.

The same rationale should apply to the cloud. In some circumstances, such as search engine queries, the third party is clearly an interested party to the communication. But when content data, passwords, or URLs are maintained by a service provider in a relationship more akin to that of landlord-tenant, such as private Google accounts, any such data that the provider is not directly interested in should not be understood to be open to search via consent or a waiver of Fourth Amendment protection.

This paper is simply a proposal from a law student, and doesn’t represent any existing legal framework or precedent. However, the arguments seem sound. In the absence of an established legal precedent that makes sense, ensuring your data is stored in an encrypted state can serve as a reasonable expectation of privacy and help to ensure your Fourth Amendment rights even in the cloud.

Tags: , , , ,
Posted in Data Storage Security | 6 Comments »

A Server Breach Does Not Have to be a Data Breach

Monday, January 11th, 2010

Stop and think about your bank for a minute. Do they pile the money up in the middle of the lobby? Why not?–There are locks on the doors.

No. The bank does have locks on the doors…and an alarm system…and armed security guards…and video surveillance…and yet, they still keep the money locked in a vault–just.in.case. Even if intruders manage to break through or bypass all of the other security measures, the money will still not be compromised because it is in a locked vault.

Organizations need to treat sensitive data the same way banks treat money. The security controls in place–firewalls, intrusion detection, antimalware, etc.–are great, and necessary, but sensitive information like Social Security numbers, account numbers, etc. needs to be encrypted for that extra measure of protection to ensure it can not be breached even if malicious intruders manage to cricumvent the other security controls.

The school district in Eugene, OR had security in place on its server, but attackers were able to bypass it. That server contained information on 13,000 current and former employees including names, addresses, dates of birth, Social Security numbers, tax identification numbers and direct-deposit bank account information. If the school district had encrypted the data on the server using a tool like Zecurion ZServer Storage, the sensitive information could have been protected even though attackers breached the server.

Tags: , , , ,
Posted in Security Breaches & Data Loss Incidents | 9 Comments »

Managing Data Against Insider Threats

Thursday, January 7th, 2010

Join Zecurion at the SC Magazine Virtual Symposium: Managing Data Against Insider Threats on Thursday, January 21, 2010.

SC Magazine describes the event:

As companies have been forced to layoff hundreds of employees, identity management, data leak prevention and encryption solutions certainly have regained interest this year. Not only are corporate leaders concerned that embittered former employees may steal data to sell to cybercriminals or bring to a competing employer for use, they’re also worried that those left behind – nervous about the next spate of layoffs – may begin funneling off information while still there. Whether their actions are intentional or accidental, insiders are a risk and companies must protect their critical assets against them. We learn from experts how it’s done.

John Johnson, Sr. Security Program Manager, John Deere Corporate Computer Security, will be a featured speaker.

Click here to learn more and to register for the event- Virtual Symposium: Managing Data Against Insider Threats. Make sure to stop by Zecurion’s virtual booth and learn more about how we can help you manage data to protect against insider security threats.

Tags: , , , ,
Posted in Events | 2 Comments »

10 IT Companies to Watch in 2010

Monday, January 4th, 2010

The Virtual Circle originally became acquainted with Zecurion and the ominous statistics behind the insider security threat in March of 2009. It liked what it saw so much it added Zecurion to its annual top 10 list of companies to watch in the coming year. The Virtual Circle has this to say about Zecurion:

“I ran into Zecurion last year (see this post.) I was intrigued by the company for several reasons, one of which is that it is Russian and few Russian software companies are successful enough to become international. Zecurion does encryption and it does it well. Encryption is, perhaps, the most overlooked area of IT security. In terms of reducing the risk of data loss, encryption probably offers better protection than any other type of IT security products out there (with the possible exception of whitelisting). However, it can get in the way of user activity. One of the virtues of Zecurion’s encryption products is that they are unintrusive.”

Take a look at the Zecurion Web site to learn more about the products and services that earned us a spot on the list. Check out Virtual Circle’s 10 IT Companies to Watch in 2010 to find about the other nine up and coming tech companies predicted to turn heads in the coming year.

Tags: , , , , ,
Posted in Data Storage Security | 2 Comments »