Summaries and comments on some [not-so-] recent articles that caught my attention…
It’s Audit Time. Do You Know Where Your Private Data Is?
- data encryption is becoming more commonplace, especially on mobile devices
- “full disk encryption” is fashionable, but the security of that encrypted data depends heavily on key management and authentication
- A little more user education on “physical security” can help avoid the risks for which encryption is layered on thick and gooey
- “California’s Office of Privacy Protection issued a clarification [of CSB 1386] that defined encryption as AES, the government’s official encryption system.”
Commentary: I’m in full agreement that “full disk encryption” is the easy answer to multiple regulatory burdens, and that key management (i.e. being able to recover lost or damaged keys – to be able to recover the data) and authentication (i.e. strength of the authentication that stands between the keyboard and the decryption keys) are vital.
If you encrypt your whole disk but have no way of recovering if the disk sector [or TPM storage location] where the keys are stored is damaged/erased, then chances are you’ll lose legitimate access to the data more often (user frustration) than you’ll grant illegitimate access to the data (data exposure).
Sure, the AES clarification in California isn’t legally binding, but any organization that ignores this now (especially with wide availability of AES encryption technologies – e.g. RMS, EFS in Windows XP SP1, PGP, Pointsec) would be more than foolish – in my mind, they’d be deliberately negligent [obligatory “IANAL” hereby stated].
[Note: the article is incorrect about which versions of Windows support AES in EFS – EFS uses the AES algorithm only in Windows XP, and AES is the default only at SP1 and later.]
Study: ID Theft from Data Breaches Rare
- Press release regurgitation: analysis and findings from a vendor of risk management technology
Commentary: in the “department of duh” category, not all security breaches involving identity data (credit cards, passwords, social security numbers, account numbers) resulted in massive identity theft.
US moves forward on data privacy
- Proposed Federal law not only mandates data privacy and security – but also requires oversight of outside organizations you pay to handle/manage/process that data
- Mandatory notification is required as well
- Penalties for non-compliance include significant fines and possible jail time for willful disregard
- Also mentions two additional pieces of legislation cooking: the “Identity Theft Protection Act” & the “Data Accountability and Trust Act”
Commentary: about freakin’ time.
Q&A: ETrade CIO calls token-based authentication a success
Commentary: “success” is measured in the interviewee’s first answer: customers who have adopted the SecurID token for access to their ETrade accounts “are therefore willing to move more assets to us.” Security is not useful if it doesn’t positively affect the core business.
Do you have more interest in strong authentication issues? Hit the site http://www.secureidnews.com/.