Insider Threats to Data – Often Overlooked
Ben wrote in asking about insider threats – and what can be done to help protect your information against that type of access. If you’ve missed the last two editorials on security, grab the link at the top of this page, but we’re talking about protecting information with Transparent Data Encryption (TDE), encryption, data at rest protections and backups.
It’s true that many unwanted accesses to information are from insiders. I don’t know specific statistics in terms of "X" percentage of breaches are from insiders, but it doesn’t take much consideration to realize that access from the inside is a key element to gaining access. If you think about the breaches at Target and Sony, while wildly different in targetting information to be accessed, the fact is, it was really facilitated (at least as far as information released to-date), from what amounts to inside access.
There are a few protections to consider when you’re trying to protect against this.
– Create views that users have specific rights to, only give them access through these views (or stored procedures) and be very cautious what information is actually available from these access points. If no general access is available, you’ll be a step ahead.
– Segment your networks – make sure that someone on the HVAC side of your network is not sharing bits and bytes with the financial transactions on your network. Encrypt data in transit with SSL connections between the application and your SQL Server.
– Enforce password policies. And expiration of passwords.
– Encryption data at rest, and backups. If you’re on some providers that manage your databases, make sure the files are protected and encrypted. Find out about their key management policies for those encryption processes.
– Consider "transactional" encryption (columnar encryption) where you provide a key set for access to specific information, rather than having it merely automatically decrypted/encrypted for you. This adds a layer of complexity to your applications. You’ll be making calls and passing in the keys and such over the connection to the DB. It typically means your key management needs to be fully integrated into your applications and access points.
– Find a trusted partner that can look at your network, look at your applications, look at your data and find out what is at risk and what your options are, and should be.
– Learn about encryption. Just check out the videos here on sswug.org (they’re free) for great information on how encryption works, what to think about, why key management that you "own" is critical and what different entry points are. Before you think I’m just plugging our videos, I am. 🙂 But the fact is, there is a LOT of great information in those videos and it’s very comprehensive and will give you a leg up on understanding this whole thing. That’s why we did, and continue to do, them.
Let me know if I can help. There are many considerations, and you have a good number of options. Email me, comment below, or hit me up on twitter (@swynk) and I’ll do my best to point you in the right direction.