The Oracle Australia and New Zealand Middleware and Technology Blog.

Friday, August 29, 2008

Can IT beat the clumsy human pt2

So how do we stop this pesky private information from escaping? With rose coloured gasses on you could solve this with business process, education and the ubiquitous “Correct usage of IT assets contract”
The chances that everyone will fall in line, is of course farcical. People inherently look for short cuts, forget things and just make mistakes. I am sure the person that sold the PC on ebay thought they deleted the files. Data privacy software is very advanced and the industry has answers for most of these problems.
If data is stored in a database, there is no excuse not to have it locked down.

Data can be masked automatically if it’s moved from the original tables, the same data can be encrypted on disk, on the tape and even up to the presentation layer. If this data needs to be flighted off the database users can wrap security around the data file in excel for instance and set rules around who can open the document and for how long the document can live. These technologies can all be referred to as preventative controls. Additional preventative controls around the database can classify data so only roles or individuals with the right classification can view the data. If you think the term classification seems like something Jason Bourne would have to deal with your correct. In fact most of the database security solutions have been tried and tested with various security organisations around the world.

Identity Management (IDM) also offers a number of elegant ways to protect this data, in my experience most organisations have a reasonable account of how to get new employee into a role and provision him/her with the relevant access entitlements so they can work. What i see however is poor practices around de provisioning users or removing access once this person leaves or even transfers to another role in the organisation. The end result is that most organisations have more employees’ accessing systems than physically on the payroll, because the removal of entitlements is a lower priority that is typically resource intensive. This issue is referred to as orphan accounts; these orphan accounts represent a huge security risk also. Many stories exist in the world of employee’s accessing data after leaving an organisation. At you can see numerous examples for this. Running “Who has access to what?” reporting may seem mundane but it’s essential. IDM can automate this problem by matching HR or payroll records to the IT systems user databases. See HR here for an article on how this works.

So we might not be able to protect the clumsy human from himself or herself. But we can start using security solutions to protect this data in the first place.

No comments: