In December we published, as you may remember, Part I of this series “Could your IT infrastructure harm your business?” Picking up from where we left off, we’re going to continue talking about data security.
Firstly, you need to consider that there are three types of data, all requiring different levels of protection – non-personal data; personal data; and financial data. These also bring in the question of compliance – especially for financial data where FCA and PCI rules determine the levels and types of security that must be implemented. These rules dictate not only how data should be stored, but also certain aspects of physical compliance relating to your IT infrastructure. Failure to comply with (and ensure continued compliance with!) such regulations is a serious breach of company obligations and will result in fines, or worse, against the company and its Directors.
[easy-tweet tweet=”There are 3 types of data, all requiring different levels of protection: non-personal, personal, and financial” hashtags=”data”]
As is now well known, one of the key issues with the recent breach of IT security at Talk Talk was that the data was not all encrypted. Data must not only to be encrypted to an appropriate level, but different types of data have to be stored separately to provide a critical additional level of security such that even if one level of data is breached, full personal and financial data is disclosed. Proper encryption and storage of data (including separation of data types) will reduce the risks of an incident such as the one at Talk Talk by a factor of 100. Best practice security solutions will ensure that personal data is well protected, even when firewall and virus protection layers are breached.
Data must not only to be encrypted to an appropriate level, but different types of data have to be stored separately
In the case of the US dating website, Ashley Madison, data was encrypted but best practices were not fully implemented in other aspects of their security policy, relating to access rules and processes. The hack in this case was perpetrated with the help of inside information – clearly illustrating the need for clear security processes, implemented across the organisation to avoid risks from internal agents. This leads onto discussion about processes, organisational considerations and the requirement for clear ownership of IT security.
Ownership and Responsibility
Given the very real dangers in the modern connected IT world and the potential for loss of confidential customer data resulting in significant damage to reputation and direct business, companies MUST have clear ownership, responsibility and accountability for all aspects of IT security. There is a strong argument for the role of a Chief Data Officer, reporting to, or having a direct role on the Board.
Organisations should also regularly review their processes, including who has access to data and systems. You might want to consider the use of external audit services as part of the review process to ensure on-going compliance with best practice. Management review meetings typically review aspects of performance (and risk) using a form of “balanced scorecard” – looking at the overall position of the company against financial, staffing and other metrics. We contend that IT security should be a specific additional scorecard element, reviewed as part of the normal company review processes and owner by a senior member of the company’s Board or Management Team.
[easy-tweet tweet=”Organisations should regularly review who has access to #data and #systems” user=”zsahltd @comparethecloud”]
What about the impact of external providers?
Most companies employ some level of outsourced IT provision, either through the use of Cloud based applications (e.g. Sage accounting or Salesforce.com CRM systems provided through a “Software as a Service” SaaS solution), or through more wholesale use of external IT providers of Cloud Service providers.
In all such cases, these solutions involve holding your customers’ data outside your own physical environment. Of course, most reputable providers use highly secure and well developed data centres that should provide better physical security than the alternative of an in-house IT system in your own offices. Even if your own servers are in secure rooms, who has access to these locations and can you be certain that physical security cannot be breached?
So, external Cloud Service providers should provide secure services – but there are steps you need to take to check that their processes are in compliance not only with best practices and external rules (FCA, PCI, etc.), but also with your own security policies and processes. For example, if using one of the “big brand” Cloud Service providers such as AWS or Rackspace, you will be tied to their contracts and embedded policies. You therefore need to be aware of these in sufficient detail to ensure that your end-to-end security solution is fit for purpose. There is also a separate issue of data privacy. You typically don’t have control over where data might be held, with the risk that external agents such as the US Government might have rights to access your data.
There are a number of questions you should be asking your external Cloud Service provider, including:
- What is your security policy and processes? An example of the level of detail required is that if PCI data is held, this should be on a server in a physically locked cabinet, not just within an area covered by a general security lock.
- If the provider is fairly new to the market, what rules do they follow and what is their track record, financial strength and longevity?
- Updates and maintenance. Does the architecture employed comply with best practices as outlined in this article (e.g. dual layer firewalls)?
- Who do they use for infrastructure or specific elements of their own delivery? Many Cloud Service providers are partially or wholly “brokers” of services, using another provider for the actual infrastructure.
[easy-tweet tweet=”Organisations need clear ownership and understanding of all aspects of IT security” user=”zsahltd” hashtags=”cloud”]
Recent cases highlight the need for a fully coordinated security policy covering physical, people, processes, IT security (protection from hacking) and encryption / data separation to protect from loss of data if attacked.
Organisations need clear ownership and understanding of all of these aspects of IT security – even if some elements of your IT solution are outsourced. Managed properly, the use of an external Cloud Service provider should significantly increase your own capability and overall IT security.