This week, a team of security researchers pulled a list of 126-billion files from public Amazon S3 buckets.
Within a subset of these buckets was – you guessed it – plain text files, many of which contained sensitive information like sales records and employee data. This InfoWorld article does a good job explaining how simple it was to access this data and where the security breakdown occurred.
When it comes to securing data in the cloud, the customer ultimately needs to take responsibility. Network World featured a good dialogue on this very topic earlier in the week.
The cloud can be an incredibly safe place to store sensitive data and run business-critical applications; perhaps even safer than your own data center. But it’s up to the customer to make sure the right security controls are in place. Encrypting your data and maintaining control of your keys is the best place to start.
This security technique ensures your cloud provider or anyone running an unauthorized program or process cannot access the data. It’s also a necessary step toward enabling compliance.
If the aforementioned data in S3 were encrypted, even in a public bucket, the search results would have yielded nothing of value.
The average price of a notebook in the U.S. is about $631. The cost of a notebook that contains unencrypted patient information is far greater.
Earlier this week, the Department of Health and Human Services' Office for Civil Rights levied a hefty $1.5 million fine against the Massachusetts Eye and Ear Infirmary.
HHS determined that Massachusetts Eye and Ear had violated a number of HIPAA requirements stemming from the theft of a neurologist’s notebook in South Korea in 2010. A hospital employee losing a notebook is one thing. The hardware can easily be replaced at a minimal expense. However, when the laptop contains unencrypted data including, patient names, addresses, phone numbers, dates of birth, medical records numbers and certain medical information, that’s another story entirely.
Because the laptop was unencrypted, the healthcare organization to was required under the HITECH ACT to notify HHS, the media. Had the drive been encrypted, Mass Eye and Ear likely could have claimed safe harbor and not faced the fine or the ensuing sanctions.
Gazzang counts a number of health care organizations among our rapidly expanding customer base. Most come to us initially to satisfy HIPAA requirements for securing sensitive data on disk or in the cloud. What they soon realize is that data encryption is so inexpensive and easy to use, that they might as well encrypt all their data. We even have healthcare customers using zNcrypt for Healthcare to secure their IT helpdesk content.
The bottom line is if you have data that’s important to your organization or your customers, it needs to be encrypted. As we’ve seen time and time again, it’s too expensive not to do it. To learn more about how data encryption and key management can help you meet your HIPAA needs, check out our HIPAA Compliance Guide.
Learn how Gazzang uses transparent data encryption, robust key management and process-based access controls to secure sensitive customer data in a multi-hundred node Apache Cassandra implementation.
In the era of Big Data, virtualized environments, mobile computing, and both public and private cloud, and with sensitive data scattered across systems and physical locations, is data encryption a best practice for IT security? Larry Warnock, CEO of Gazzang, certainly thinks so. And the recent success of this startup data encryption vendor argues that the market agrees.
“First, today data is massively distributed. It goes all over the place,” Warnock says. “Hadoop is really a massively distributed file system, not a traditional database.” And even traditional relational data ends up scattered across the data center in virtualized environments.
Increasing numbers of companies are creating hybrid public/private cloud environments, which means that some of their data ends up on public systems. They are, for instance, leveraging the fast-and-easy configuration environment of Infrastructure-as-a-Service (IaaS) vendors such as Amazon.com to run new or fast growing applications and products such as cloud-based games or to handle large seasonal variations in business activity typical of retail. And growing numbers of SaaS vendors, who need to provide strong security for their customers’ data, are using data encryption. “You don’t want the system owner to be able to see your company’s sensitive data if that owner is a third-party like Amazon, for instance,” Warnock says.
Mobile computing creates its own risks to sensitive data. Stories about stolen laptops with data on customer accounts are depressingly common. “I think that the next thing may be theft of mobile devices like smartphones and tablets with sensitive data on them,” Warnock says.
As a result, while traditional security tools like firewalls are still important, they cannot provide the level of data security that they did when everything was inside the data center. And even then reports of massive identity theft through unauthorized access of sensitive data appeared regularly.
Meanwhile, Warnock says, “The cost of encryption has dropped to the point that the question is why shouldn’t you do it?”
One major issue that has delayed the widespread adaption of security is key management, which can be complicated. Also, the traditional approach to encryption is to encrypt all new data at the end of the day, which leaves what often is the most valuable data in transactional systems unprotected for hours. And in today’s 24X7 business environment, many companies never have an end to the day when things slow down and large batch processes can be run.
Gazzang’s ezNcrypt product offers a new approach to encryption designed for this environment in three important ways, Warnock says.
EzNcrypt is finding use cases in several and applications that demand high data security levels, he says. These include medical, where health care providers get highly sensitive, regulated patient data from multiple sources and need to protect it; financial services; and retail, which needs to protect large amounts of customer data starting with credit card numbers, account access, and personal ID information.
Warnock admits that, as with all IT security, making the financial case for investing in encryption is often difficult. “It won’t add to your top line or save operating expenses. It is more of an an insurance discussion. It protects you from the dreaded breach, which often does its worst damage indirectly, to the company’s reputation and the trust of customers. What we are hoping is that encryption data will become a generally recognized best practice.”
So is it best practice? “That depends,” says Mike Rothman, president of Securosis and former security analyst at META Group.
Encryption is therefore an important tool in the security toolbox, but it is not the only one there. It can be a last line of defense for highly sensitive data in the enterprise and a way to provide protection for data in the cloud or in transit across the Internet. But, it should be seen as part of an overall security plan, not as a golden bullet for all security needs.
“Encryption is certainly an important data security tool, especially in today’s IT environment,” Rothman says. “A lot depends on what you are trying to store, who is trying to access it, and what they are likely to try to do.”
I had a really interesting conversation with Thor Olavsrud of CIO.com yesterday about securing big data. The discussion lasted about 40 or so minutes and touched on everything from homomorphic encryption to dredging the ocean floor for mollusks (as an analogy for Big Data).
The result was an insightful and well-written column that appeared today, called “How to Be Ready for Big Data.” It’s one of the first pieces I’ve read on big data that seriously looks at the how organizations are going to secure the massive amounts of information they’re collecting.
And Thor isn’t just hearing about this from Gazzang. David Saul, chief scientist at State Street Bank, also gets the need for organizations to think about big data security from the outset:
"I believe the biggest mistake that most people make with security is they leave thinking about it until the very end, until they've done everything else: architecture, design and, in some cases, development. That is always a mistake."
We’ve touched on this before. Retroactively trying to protect big data is expensive, time consuming and fraught with peril. Thinking about security from the very beginning is the best way to protect your data.
Finally, I wanted to leave you with my top four tips for securing big data. Thor asked for these yesterday, and although they didn’t make the final article, I thought they’d be worth sharing with you.
If you have any additional tips, please add them to the comments section.
We’re at this unique juncture where technology that’s available to us has actually caught up with the rising flood of data being created. Open Source databases like Hadoop, Cassandra, MongoDB and others allow us to harness the exabytes of unstructured information captured from mobile devices, social media, log files, emails, images and video, and use it to perform real-time analytics.
This is Big Data, and it’s yielding big results for companies like Visa, Netflix and Google’s Motorola Mobile.
There’s a lot of noise about Big Data management and analytics tools, but there’s a frightening lack of concern about one area that requires far more attention. We believe that before companies even consider a Big Data project, they need to look at how they’re going to secure big data.
Big Data is about collecting massive volumes of information from a variety of sources and analyzing the data in real-time. The content may seem harmless at first, but as the volume, velocity and variety of unstructured data skyrockets, sensitive information like email addresses, phone records, social security numbers, health records, and intellectual property are ultimately captured and stored. Forrester Research calls this "toxic data". It is information that, if it leaves the organizations control, could be devastating – could be absolutely “toxic”.
Organizations that fail to protect and encrypt this data leave themselves exposed to attacks and possibly even fines. Companies like Stratfor, Sony and Epsilon - who failed to encrypt toxic data - all took severe hits to their brand and combined lost millions of dollars in potential revenue. But worse still, is these companies all lost the trust of their customers. How do you put a price on that? People will shy away from organizations that aren't trusted stewards of their information. This includes not only the data itself but the histories of their data, application and web usage.
Retroactively trying to protect this data is far more difficult than securing it at the outset. Organizations must consider this BEFORE it is too late.
That's where Gazzang comes in. Our cloud-based encryption and key management platform helps customers protect Big Data.
It is time to think about securing Big Data. Don’t let the loss of your valuable information become front-page news. Please read our Securing Big Data white paper to learn more.
If a DBA needs to reset the mysql root password – one method of doing this is to run mysqld with -skip-grant-tables as a command line parameter. This is a bad practice for many reasons and as a DBA friend of mine says – it’s a lot like locking your door with the window open. If you are using mysql for especially secure data you should consider your options.
One option, and likely preferred, is to replace the default mysql from various sources with one built with this feature disabled – see http://dev.mysql.com/doc/refman/5.1/en/source-configuration-options.html#option_configure_disable-grant-options
I am not aware of any distro’s that are built with this option – but seems like a fair number of folks out there would appreciate having a build like this.
But some either still want to be able to somehow reset roots password, or don’t wish to compile mysql on their own, so the second option is to use Gazzang ezncrypt. Beyond the advantages of the Transparent Encryption which provides encryption for table data, config files, backup data and more, you can also use ezNcrypt to prevent use of –skip-grant-tables. This “closes the window” and will also let you still change the root password if needed. This is accomplished by transparently encrypting the mysqld executable, and adding a simple wrapper executable that will detect and remove the –skip-grant-tables. It can also optionally send a signal to mysqld to force loading the privileges.
If and when you need to change the root password for mysql, you can still do this – but you will need to have and use the proper RSA key and password or Passphrase and Salt, which is protected and only known to a select few in your administration.
Here’s the how-to for skip-grant-table protection
1. Encrypting mysqld process.
# ezncrypt -e @protected /usr/sbin/mysqld
2. Create and compile mysqld wrapper (called mysqld.secure) that calls mysqld process
g++ -o /usr/sbin/mysqld.secure mysqld.secure.cpp
Note: we wrote just a few lines of C++, but you could use a script or perl or php … etc. as the hashes and fingerprinting prevents alternation.
3. Add the following rules using ezncrypt-access-control
# - Type Category Path Process
1 EE ALLOW @mysql * /var/lib/ezncrypt/ezncrypted/protected/usr/sbin/mysqld
2 ALLOW @protected /usr/sbin/mysqld /usr/sbin/mysqld.secure
Note: if mysqld.secure is changed SHA-256 hashing and other fingerprinting detect that it is tainted and permissions will be denied.
4. Edit my.cnf
mysqld = /usr/sbin/mysqld.secure
And that’s it.
When you call:
# mysqld_safe start
# mysqld_multi start
This will call mysqld.secure with all arguments and mysqld.secure will remove any –skip-grant-table found, and it will call /usr/sbin/mysqld without it, and again mysqld can’t be started on its own with –skip-grant-table – unless you have the encryption key.
Of the many government and industry regulations out there, I have been hearing the most about HIPAA lately. Many of the recent discussions I’ve participated in have revolved around the strict data breach notification requirements listed in section 13402 (e)(4) of the HITECH Act . Specific to these conversations has been the safe harbor language, which provides a way to legally avoid this notification process.
The HIPAA regulations state that if there is a data breach affecting more than 500 records, then the entity must notify the individuals affected, the Department of Health and Human Services (HHS) and major media outlets. Besides the immediate monetary cost, you also must deal with the damage to the company’s reputation, and public relations costs required in remedying that. Besides your COMPANY’S reputation, you also have your OWN reputation to worry about. Will this be an unwritten entry on your resume for years to come?
Interestingly, there is a loophole, which can allow you to skip the entire notification process. What is this loophole you ask? It’s called the Safe Harbor provision and can be easily found in section 216 of the regulation. It states that if your data is encrypted using the standards set forth in the National Institute of Standards and Technology (NIST) Special Publication 800-111, then the data is considered unreadable and unusable, therefore you are NOT required to notify anyone of the breach.
Fortunately, you don’t have to design your own encryption solution. Gazzang has taken care of that for you. Gazzang has created a high performance, transparent encryption solution that can encrypt virtually anything running on the Linux platform, coupled with a state of the art key management solution. We stringently followed the NIST guidelines when creating our enterprise-ready encryption solution. We leverage the AES encryption algorithms, which are recommended by NIST, as well as using a state of the art key management solution that stores the keys on a remote server either inside your firewall or in our remote, cloud-based Key Storage Server. Amazingly system performance degradation is nearly always less than 1%, the implementation is very straight forward, and the cost is very reasonable, much less than developing your own solution from scratch.
echoBase recently released a new solution for doctor’s offices that provides physicians the new mobile platform they have been clamoring for. It provides mobile access to EMR, PM, Imaging, ePrescribe and other clinical systems. All of the Patient Health information is protected by Gazzang’s encryption solution.
In conclusion, the notification requirements contained in the HIPAA regulations can be costly monetarily, as well as scarring both the reputation of your company, and also your personal, professional reputation. If there is a way to avoid these nightmares, don’t you think it’s worth an investigation? Why don’t you contact us today at email@example.com, and let us show you how we can help.