MAINFRAME > Administrator > Security

Avoiding Security by Obscurity

Data security is not just an IT department issue.

Data security is not just an IT department issue.

A few years ago, data security was considered by most organizations to be an afterthought - something that could be handled by a few specialists operating in their own domain. Today, however, it's no longer a matter of implementing and maintaining a few standard security measures, such as firewalls, VPNs and the like.

With today's technology, we no longer depend on paper to store our critical information; large amounts of information are now in electronic format either online or in stored data. Modern networking technology and the ubiquity of the Internet and sending data through file transfers means that all data is instantly available to anyone anywhere in the world, whether friend or foe.

Not only are computers becoming more powerful, but today's personal digital assistants (PDAs) and even cell phones have the power to hack into a company's mission-critical data resources - all without a wired connection. The government is becoming more involved, creating data-security standards can be difficult to interpret and expensive to implement. For these reasons and more, data security has become an elusive goal and policy decisions must be made and carried out at all levels of an organization. Some of today's key data security issues are explored in this article.

Regulatory Compliance Challenges

There are myriad new government and corporate standards and regulations, including the Gramm-Leach-Bliley Act (GLBA), the Sarbanes-Oxley Act (SOX), the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standards (Visa CISP), and the California Security Breach Information Act (CA SB1386). These regulations create a new technocracy within organizations consisting of people trying to understand, interpret and implement these requirements. Typical phrases within these documents include: "an adequate internal control structure," "maintain a policy that addresses information security" and "ensure the confidentiality and security of customer data against reasonably anticipated threats." Sadly, the meaning of such statements is open to interpretation and leaves some organizations vulnerable to being judged not in compliance despite their best efforts.

Determining what is and isn't sensitive data can be difficult. Data that may be sensitive in the hands of one person may be useless to another. Conversely, controls placed to limit access to sensitive data by one group may prevent access by persons who need the data to perform their jobs. Compounding this issue is that data from one source may be of little value to a hacker but when merged with data from another source, it may become extremely sensitive. For example, product order information from a manufacturer attached to a customer number may be of little use, but the information was merged with address information from a shipper linked to the same customer number, it would reveal a great deal.

Unfortunately for many, the practical effect of these new rules has been to shift the objective from protecting corporate data to protecting an organization from government scrutiny and consumer lawsuits, with corporate e-mail being a classic example. If the standard is to keep e-mail for six months, companies will move to destroy e-mail archives after that time to eliminate potentially damaging evidence of security breaches. The effect can be that valuable corporate information is destroyed in the process.

Data security has become too important and too costly an issue to be assigned to one department or outsourced to a third party.

Kevin Kumpf is senior engineer for SSH Communications Security Inc. Kevin can be reached at kevink@ssh.com



Advertisement

Advertisement

2018 Solutions Edition

A Comprehensive Online Buyer's Guide to Solutions, Services and Education.

A Perfect Union

New encryption facility for z/OS strengthens mainframe bond.

Avoiding Security by Obscurity

Data security is not just an IT department issue.

IBM Systems Magazine Subscribe Box Read Now Link Subscribe Now Link iPad App Google Play Store
Mainframe News Sign Up Today! Past News Letters