Information security in government IT: Lessons learned from the financial industry

The risk of citizens' private data being stolen has grown in recent years. News stories of hacking incidents that affect millions and the potential loss of personally identifiable information illustrate the clear and present danger of cybercrimes. Adding to the risk of a data breach is the push for data access and ubiquity of information in the cloud. With more organizations relying on cloud providers to operate their mission-critical applications, risk mitigation gets more challenging for security professionals. As more agencies move to cloud computing, federal IT managers will continue to face the challenges surrounding the protection of citizens' PII.
Driven by stringent regulations, the financial industry has a long record of implementing controls and policies for enforcing financial data integrity. The Statement on Standards for Attestation Engagements No. 16 is a set of auditing guidelines for financial reporting that includes IT security compliance. Practices the financial industry uses to protect PII can be applied to government organizations that must comply with requirements of the Federal Information Security Management Act and the National Institute of Standards and Technology Special Publication 800-53

Financial data repositories can be extremely large and somewhat unwieldy, much like those found in government. However, the financial industry conducts analysis by chunking the data down into smaller segments so that it can slice and package data by geographical and socioeconomic cohorts and perform modeling simulations on these selective subsets --  an efficient and cost-effective method for analytics reporting. With its ability to quickly spin up CPU cycles and storage space, the cloud has naturally become the de facto computing platform for on-demand financial modeling.
Moving to the cloud does impose additional security risks. Traditionally, financial data has been stored in-house because of its sensitive nature. Cloud-destined data is no longer in the relative safety of an on-premise host, so special considerations govern protection of PII: data encryption and data anonymization.
Data encryption for the cloud
Data encryption is now ubiquitous, especially for PII. It is worth noting, however, that 128-bit secure socket layer (SSL) protection, once considered de facto for e-commerce, is no longer adequate. For extra level of PII protection, the financial industry is looking toward the strength of AES-256 protection. Transport layer security, particularly TLS 2.0, is replacing SSL 3.0 as the standard.
With the data that persists on a cloud platform, AES-256 should be the encryption standard -- applied to data-at-rest for both active databases and backup storage. When data is in transit between an on-premise facility and the hosting environment, the data package should be encrypted using AES-256 prior to transporting, even if the transportation layer already provides its own intrinsic encryption (i.e. a VPN tunnel or an HTTPS connection). Under this double-encryption scheme, critical data will be under military-grade protection -- a direction in which the financial industry is increasingly heading.
Data anonymization
Data anonymization, also referred to as sanitization, obfuscation or de-identification, is the technique for masking or removing PII from datasets so that the records no longer identify the individuals to whom the information belongs. Anonymizing data prior to uploading to the cloud can provide an additional layer of security in case of data breach.
There are two primary techniques for data masking: static masking and dynamic masking. Static masking can be applied when there is no need to unmask (i.e. to transform the scrambled PII back to its identifiable form). This comes into play with datasets that are used in analytics, where PII has no direct role in the formulation of results. Dynamic data masking, where PII masking is transient, has the advantage of reversibility. If an architectural pattern requires frequent data synchronization between the cloud and on-premise data stores, or between transactional and analytical systems, dynamic masking may be applicable.
Data-masking solutions range from those developed in-house, to built-in features of the enterprise resource planning or database platform, to dedicated software for anonymization. In-house and built-in features of ERP and databases may be more suitable for static data masking. Dedicated data obfuscation solutions with efficient algorithms may be more effective for dynamic requirements.
Enterprise cloud migration, and the required preparations for over-the-cloud PII protection, can be less challenging for agencies if they draw from the experiences of early adopters in the financial industry. They can then charter their own path to the cloud from these lessons learned.

Source: gcn.com

Comments

Post a Comment

Popular posts from this blog

Sri Lanka Arrests Two Men over Taiwan Bank Hacking

Sri Lankan police have arrested two men for allegedly helping international criminals who  hacked into computers at a Taiwan bank and stole millions of dollars, an official said Sunday. The pair were arrested after they tried to withdraw large sums of money that had been wired to their accounts with a Sri Lankan bank branch in the capital Colombo, the official said. The police Criminal Investigation Department (CID) was working closely with  Taiwan counterparts to track down the hackers, who are said to have breached the Taiwan bank's computers last week. "We are looking at some $1.3 million that had come into three accounts in Sri Lanka," the official involved with the investigation told AFP, asking not to be named. "We have taken two people into custody and we are looking for one more person." Police in Sri Lanka did not disclose the name of the affected bank in Taiwan or the sum said to have been stolen, but a Sri Lankan media report said tens of m
Read more

Solar cars begin race across Australian desert

SYDNEY (Reuters) - The World Solar Challenge began on Sunday with 42 solar cars crossing Australia’s tropical north to its southern shores, a grueling 3,000 km (1,864 mile) race through the outback. The race from the northern city of Darwin to the southern city of Adelaide is expected to take a week for most cars, with speeds of 90-100 kmh (55-62 mph) powered only by the sun. The fastest time was achieved by Japan’s Tokai University in 2009, completing the transcontinetal race in only 29 hours and 49 minutes. Belgian team Punch Powertrain started first on Sunday after recording a trial time of 2:03.8 for 2.97 km (1.78 miles), hitting an average speed of 83.4 kmh (51.5mph). But reigning 2015 champions Nuon from Delft University of Technology in the Netherlands believes it has a good chance of retaining the prize. “All the cars look completely different (this year), and all we know is we’ve got a good car, we’ve got it running perfectly the last couple of days and we’re co
Read more