Now that WikiLeaks is threatening to open the spigot of data on the banking industry what will this mean for data security in the finance sector? The leaks are highlighting the importance of data security in the information age.
But what are the weaknesses that led to the exposures seen thus far? The cables leak was the result of an inside operator, this is a difficult weakness to address as the weakest link in a system is often a human link. But centralizing data and having a strong authentication and authorization model can help to control and ensure that people are only accessing the data they need.
The banking leak is reported to be based on data recovered from an executive laptop. This type of leak where data is at rest requires a few steps to address: encrypted hard drive, encrypted email and file based encryption. With the right controls in place, there is no reason for this type of leak to take place.
There is a case here for data centralization — having key data in a centralized repository under a central control structure makes it easier to understand and manage who has access to which data elements (and who is doing what with those elements). A centralized approach also helps to reduce the amount of ‘in flight’ data being propagated throughout the organization which reduces leak potential.
Banks may be asked to respond to their ‘leak risk’ and those with solid security controls and more centralized data structure will be in a much better position than the banks that have not been focusing on these concepts.
Here are a few key points to help avoid data leaks:
- Centralize where possible and map all data dissemination: this helps to ensure that data is inventoried and controlled across the landscape.
- Review and control data access and use frequently, have data stewards review and confirm data consumers.
- Encrypt all sensitive data at rest – this includes laptops, staging zones and file shares.
- Promote a multi tiered approach to security – encrypt the transport, the payload and add as much security as the non functional requirements (typically performance) will allow.
The news coverage has started to change how people think about data leaks — but the fundamentals and best practices of data security remain sound. Having solid principles and policies is the first step, but like a good golf swing the key is in the followthrough.