Complying with regulatory and business security needs

A pragmatic primer for protecting your most critical assets by David Johnson.

For most businesses, government agencies, institutions and other organisations, security can at times seem like an overwhelmingly complex challenge. Threats to your data, both real and perceived, loom from all angles. Hacker attacks, disgruntled or dishonest employees, and competitive snooping are just some of the concerns with respect to protecting proprietary information.

Regulatory drivers are mounting, as well, as an ever-growing list of legislation and new acronyms to contend with. In Europe, the EU and individual countries have their own regulations governing the privacy of information including, as examples, the European Community Directives on human rights, electronic commerce, data protection, and privacy and electronic communications and the UK’s Data Protection Act. In the US, HIPAA, GLBA, and “SOX” are just a few to contend with. On a worldwide basis, the Basel II Capital Accord is front of mind for all internationally active banks.

Faced with a long and growing list of international regulations affecting IT security, compliance is viewed as one of the top concerns for many executives. Some of these laws hold organisations accountable for protecting the confidentiality of consumer or patient information. Others require companies to provide detailed and reliable documentation on financial decisions, transactions and risk assessments. And new laws are being passed all the time.

Deciphering the regulatory alphabet soup
Here is a quick primer on some of these regulations and what they mean:

GLBA: Under the privacy provisions of the US Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, banks, credit card companies and other financial institutions that provide financial products or services to US consumers must ensure the security and confidentiality of customer records and information. They must also protect against any anticipated threats or hazards to the security or integrity of these records and protect against unauthorised access or use.

HIPAA: The privacy provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), took effect from April 14th, 2003. It requires privacy protection of medical records and other personal health information created or maintained by health care providers who engage in certain electronic transactions, health plans, hospitals, health insurers and health care clearinghouses.

Sarbanes-Oxley (SOX): Most observers would agree that the Sarbanes-Oxley Act (SOA) is the single most important piece of legislation affecting corporate governance, financial disclosure and the practice of public accounting since the US securities laws of the early 1930s. What is more, section 302 forces Securities and Exchange Commission registered companies, including many European organisations, to “evaluate the effectiveness of internal controls over any information they issue to capital markets”. This US law went into effect on July 30th, 2002. Initially, companies had to be in compliance by late 2003, but extensions were granted. Large corporations now have until June 15th, 2004, to meet the requirements of Sarbanes-Oxley. Smaller companies have to comply by April 15th, 2005.

Basel II: The Basel II Capital Accord is an amended regulatory framework that has been developed by the Bank of International Settlements that requires all internationally active banks, at every tier within the banking group, to adopt similar or consistent risk-management practices for tracking and publicly reporting exposure to operational, credit and market risks. It requires the identification of risks that a company is exposed to, a report detailing the processes in place for identifying and measuring future risk, and confirmation that sufficient cash reserves are available to cover all risk exposure – capital held must be closely matched to risks undertaken.

UK Data Protection Act: The Data Protection Act 1998 came into force on March 1, 2000 and implements the EC Directive. It applies to computerised personal data as well as data held in structured manual files. There are eight principles put in place by the DPA to make sure that sensitive personal information is handled properly. They say that data must be:
1. Fairly and lawfully processed;
2. Processed for limited purposes;
3. Adequate, relevant and not excessive;
4. Accurate;
5. Not kept for longer than is necessary;
6. Processed in line with the individual’s rights;
7. Secure; and,
8. Not transferred to countries without adequate protection.

Basic tenets for compliance
Unfortunately, there is no single “one size fits all” implementation solution for complying with all the rules. But there are some basic strategies companies can use that will help them better deal with the security and retention of electronic data and lay a proper foundation for building their own framework to help comply with these regulations – and to protect proprietary business information.

If one were to break down the basic building blocks for building a security foundation, they would certainly include these basic security elements:

* A sound security policy – establishing the proper procedures and processes for how employees and systems should handle sensitive information.
* Proportionate to the threat – security is a form of insurance so make sure it is clearly targeted at protecting your most critical assets from the most likely or most damaging risks.
* Data encryption – to protect the privacy of consumer, patient, financial, or other sensitive information.
* Strong authentication and access controls – to ensure that only the people with a proper “need to know” have access to, or can change sensitive information.
* Data integrity checks – to ensure that the information has not been altered
* Continuity of service – to ensure that operations are not disrupted for any significant period of time.

And most importantly, establishing internal awareness among your employees through education on your security policies. The proper usage of security technology can go a long way towards compliance.

Sound simple enough? In theory, yes. But in practice – not always.

A visit to the security scrapheap
Organisations have expended enormous amounts of energy and money to address these threats and drivers over the past few years – often with very little in tangible results to show for it. Expensive PKI projects and other security initiatives can remain perpetually in pilot due to complexities of implementation, support and lack of end-user acceptance.

And those that have been successful in deploying sophisticated solutions within their organisations often find themselves isolated on islands of security due to incompatible technologies, infrastructures, and policies between themselves and their external customers and business partners.

So all the hype about security solutions – PGP, PKI, smart cards, biometrics, automated security policy enforcement, client authentication, message security, VPNs, access control – all too often remain hype. It really shouldn’t be this difficult.

A pragmatic approach to security
According to Bruce Schneir, an internationally renowned security technologist and author, “The more complex a security solution is, the less likely it will be used”. Rather than throwing money at the latest technology, a more pragmatic approach to protecting information would start with determining what information your organisation is trying to protect and how, assess the existing and planned infrastructure within which the solution must operate, and most importantly identify whom the users are – both inside and outside the organisation – and their usage context.

More specifically:
* Does the information need to be protected in storage, in transit or both?
* What computing systems will need to store, access or transfer the information?
* Who are the users and owners of the information, and what applications and processes will they be using to access and share it with others?
* Does the information need to be exchanged with external organisations – i.e. business partners, customers, government agencies, or other external constituents?
* What is the current and planned infrastructure within which the information security solution must work?
* What resources are available, once the solution has been implemented, for training end-users and providing ongoing support?
* Finally, what are the basic requirements for protecting information – i.e. ensuring confidentiality, data integrity, non-repudiation, authentication of author/sender as well as ensuring access by only the intended recipients.

Typical requirements within an enterprise setting might include:
* Minimal overhead and infrastructure requirements. Your security shouldn’t require a huge investment in adding additional bandwidth and storage. Incurring these significant costs up-front makes it difficult to justify the ROI associated with security.
* Completely interoperable across organisations, platforms, applications, and infrastructures. Your security solution needs to be completely interoperable – not only within your company (where you can control your users’ applications and computing platforms) – but more importantly, it needs to work seamlessly with your external partners, customers, consultants and other key constituents.
* Compatible with existing and future infrastructure investments. You want to ensure that any security solution you deploy today not only works within your existing infrastructure, but also your future one. For example, perhaps your plan is to someday deploy a PKI within your organisation and issue certificates to your end-users or external partners. It’s important that whatever you deploy today can support tomorrow’s direction as well.
* Simple and cost-effective to implement and support. It goes without saying that whatever you deploy needs to be cost-effective, easy to implement, and easy to support.
* Easy to use. And last, but not least, it needs to be easy to use. Because if it’s not inherently simple for your end-users to use – they won’t.

Moving from analysis to action
Once the information protection requirements are determined, the next step is to then evaluate alternative approaches. Organisations should consider a range of options – often the best solution is one that may not have originally been considered. Based on your own requirements, determine your selection criteria and use these to evaluate vendors’ products as well as competing technologies. A subset of these solutions may include messaging security for protecting internal and external e-mail communications, securing archived financial information, or protecting communications between an organisation’s data centre and its branch offices. Typical approaches for implementing these solutions include a Public Key Infrastructure (PKI) and related technologies such as S/MIME, Virtual Private Networks, PGP (“Pretty Good Privacy”), and others.

A more recent entry into the security solution mix is PKWARE’s SecureZIP™ technology. PKWARE, the creator and continuing innovator of the widely used ZIP file format, has integrated strong security into its multi-platform PKZIP products. PKZIP combines the benefits of ZIP data compression – storage and bandwidth efficiency, cross-platform interoperability, and broad user adoption – with new strong encryption and digital signature capabilities powered by RSA Security’s BSAFE software. It works within both PKI and non-PKI environments, allowing users and organisations to effectively “bridge the gap” between those that have digital certificates and those that don’t.

PKWARE has also developed a free PKZIP Reader product, which enables any recipient of a SecureZIP file to unzip, decrypt, and even process digitally signed archives. With PKZIP Reader, PKWARE is employing a strategy similar to that of Adobe’s Acrobat Reader, which has enabled the pdf format to achieve broad acceptance as the de facto standard for transporting documents. PKZIP Reader is available to individual end-users from PKWARE’s web site, or can be redistributed in a customised and co-branded fashion by large organisations with its recently announced PKZIP Reader Partner Program.

In summary:
There is no “silver bullet” for curing all your security needs – whether they be regulatory compliance or otherwise. But by taking a pragmatic approach to defining security requirements and policies based on what you’re trying to achieve, considering how your users (internal and external to your organisation) will interoperate with the information and technology, and integration with your current and future infrastructure – you can help avoid the unnecessary time and expenses that have plagued many organisations’ attempts at implementing “sophisticated” security solutions.

David Johnson is MD International, PKWARE.

PKWARE, Inc is exhibiting at Infosecurity Europe 2004, which is Europe's number one IT Security Exhibition. The event brings together professionals interested in IT Security from around the globe with suppliers of security hardware, software and consultancy services. Now in its 9th year, the show features Europe's most comprehensive FREE education programme, and over 200 exhibitors at the Grand Hall at Olympia from 27th to the 29th April 2004. www.infosec.co.uk