The Immutable kBlog: thoughts on data integrity

I’ve read a great post on David Lacey’s blog. Very clearly, he points out how most people and organizations are forgetting that information security is based is a three-pillar house (Availability, Confidentiality and Integrity, or CIA).

Availability was the main focus some years ago. Denial-of-service was the main worry, and business continuity was the focus of organizations. Then came the turn for confidentiality, and encryption became something that was -almost- everywhere. The impacts of a loss in availibility is big; the impact of a loss of confidentiality is bigger… and scarier.

But now comes the time for data integrity. Right now, few decision-making minds in organizations focus on that, or care about it. But still, the impact of a loss in data integrity is -and here we agree with Mr. Lacey- huge. What if somebody changed the data -intentionally or not? Results can go from from undermining the people’s (think about the recent alleged attack by a hacker to the Virginia Health Professions Database) or even fraud (think about the Satyam Computers‘ case.

And it gets darker. The problem comes not only by safeguarding integrity, but also to the long and painful process of recovering from one of this attacks: how to know exactly which data is trustworhty (i.e. hasn’t been tampered with) and what is not?

It is surprising that currently there is not a big concern about this. We are guessing that unfortunately this concern will come when it is too late, and there are many breaches in data integrity and costs and consequences are there to remind us of its important. That is why, in David Lacey’s words,  it a time-bomb, waiting to explode.

Last week Finnish parliament approved a controversial law that allowed employers to track on their employee’s emails. This law, named “Lex Nokia” (Latin for “Nokia’s law”) was strongly supported by Finnish employer’s organizations; the name relates to Nokia due to a report by a respected Finnish newspaper reported some weeks ago that Nokia was threatening to leave the country if the law was not approved. The news, obviously was echoed around the Internet. Nokia has denied these accusations.

The laws does not actually allow employers to check on their worker’s emails and read their communications. It gives them the right to track them, though, by retaining associated information to those emails such as recipients, senders and the time when those emails have been read or sent. Employers can also check if emails have attachments, and data related to them. This law, of course, has created a big amount of discussion among civil rights groups, employers organizations and the Finnish society.

What we think is interesting is the way this is evolving. It seems that it is becoming an undeniable fact that business are in the need of defending themselves from corporate espionage. But there’s also the fact that allowing employees to check on some information about their worker’s email may open the door for abuses. The direct relation between being allowed to do it and the certainty of abusing this law is a matter of debate. The important issue here is that it will certainly put doubts in each worker’s mind: is my boss checking my emails?. So the key element here is the ability to prove, unquestionably, that emails have or have been not checked. And this is where the Kinamik Secure Audit Vault can be the final solution.

Of course, these accesses to the worker’s emails must be audited. But auditing does not provide a sufficient solution, since these audit data can be easily changed, specially when users have high privileges or power. By collecting, centralizing and securing this audit information with the Kinamik Secure Audit Vault, employers will not only gain in efficiency and lower auditing and compliance costs, but they would also be able to provide something harder to quantify but not less important: their employee’s trust. Being able to prove, without any doubt, that the audit recors that show who has done what have not been changed will certainly provide ease of mind to every single person in an organization. Knowing that there’s an always-on, tamper-evident watching system like this should definitely be the standard best practice whenever any organization wants to exercise their right of checking their workers’ emails.

One last note: I have been asked many times in the past why any worker organization would accept to implement a system like this into any organization, since they feel that they will be constantly watched. Well, the reasons mentioned above are exactly why: this kind of systems are not accussatory systems; they are protective systems, that allow the guilty to be proven guilty, and the innocent to be confident that his or her innocence will be unquestionably shown.

We’ve already mentioned that data integrity is going to be the next big threat. Well, Sarb Sembhi,  president of the London chapter of ISACA, also thinks like that.
In this very intresting short article, Mr. Sembhi points out something many people think: there are many more attacks than the ones disclosed to the public. He also points out that, tied with the economic climate we currently have, several high-profile fraud cases are being discovered (and we think that unfortunately there are many more to come). Although not directly linked, he implies also that high-value frauds and data integrity attacks are closely related. The likeliness of data integrity being part of these data manipulations increases as the total value of the fraud gets higher; hence, it wouldn’t be wrong to assume that -again- the lack of proper data integrity protection tools certainly doesn’t help preventing this type of cases in organizations.

We are working for showing Mr. Sembhi that we are what he misses: a data integrity protection solution aimed at protecting every type of data.

In the meantime, he mentions a fact as true as the sky is blue: it all starts with putting proper procedures in place. For reducing the organization’s exposure to data integrity attacks (and to high-value frauds), Mr. Sembhi mentions:

• “Create policies and procedures for data quality and data integrity
• Create policies and procedures to identify the extent of the problem and record incidences of data integrity compromises and suspected incidents of fraud
• Ensure information assets are correctly valued, (including configuration and log files, and meta data)
• Undertake threat assessment of valued data
• Take a risk management approach to protecting data integrity
• Ensure adequate protection of all data that is relied upon for investigatory purposes
• Include data integrity protection as part of security awareness programme”

Does the end justify the means? Der Spiegel reports a history in which Deutsche Bahn, the German-state owned rail service, is seeing how a new scandal grows, with the risk of implicating its top managers.

The German rail company is being accused of spying on almost all of its 227.000 employees for almost a decade. Part of a campaign to root out internal corruption -a very positive cause indeed-, the spying operation consisted on comparing “master data” (i.e. personal details) of over 170.000 employees, with information of around 80.000 external suppliers. This would show irregularities that might imply internal corruption. These investigations and comparisons have been going on at least three times (on 2002, 2003 and 2005).

It is now under investigation whether privacy laws have been broken or not. But even if Deutsche Bahn’s actions were legal, privacy is an extremely sensible matter in Germany because of its Nazi and Communist past. Surprisingly enough, this is not the first of such spying cases, with Deutsche Telekom in 2008 and Lidl grocery stores in 2007.

Under investigation as well is how aware of these proceeding were its top managers (including Deutsche Bahn’s CEO, Hartmut Mehdorn).

Once again, we are witnessing privacy and employee surveillance issues arise. Any organization is in its own right to safeguard its name, intellectual property, and even its trade and business secrets. But doing so correctly and stepping on their employees privacy are two different matters. Proper systems should be put in place in order to audit each and every action done within an organization, even by the most privileged users. This kind of systems (like the Kinamik Secure Audit Vault), would act as deterrent for any misuse that may occur, and accountability and full responsibility would be in place. It would protect both the organization and its employees: the organization would be protected since employees would think twice before doing any unappropriate or ilegal action knowing that each and every action is being recorded and archived. And employees would be protected since these audited actions would include also the actions allegedly done by Deutsche Bahn; any empoyee representative (e.g. union leader) could then run integrity reports and analysis on the audit trails for checking improper actions, and be sure that these reports can be unquestionably trusted.

This week’s Wall of Shame post is about the recent Satyam Computers’ scandal, the Indian IT outsourcing giant.

The scandal, reported extensively in the media, is the biggest-ever corporate fraud in the India’s history. Satyam’s former CEO, Ramalinga Raju, admitted he had been cooking the books of his firm for the last years. In his statement, Mr. Raju said that about $1bn (€0.75bn), reflecting 94% of the cash on the company’s books, was made up. The fraud he perpetrated was so large and complex that Indian business people are already calling it the “India’s Enron”.

But this immense fraud scandal does not end here. Just like in Enron’s case -in which one of the “Big Five” accounting firms, Arthur Andersen, was finished-, now one of the remaining “Big Four” is finding itself in the middle of this turmoil: PriceWaterhouseCoopers is in the spotlight.

Bloomberg.com reports that two PriceWaterhouseCoopers auditors have just been arrested, putting the auditing organization in the center of attention. It is the first time in India’s history that an auditor has been detained for failing to ensure a client’s financial integrity. PriceWaterhouseCoopers LLP may even face scrutiny in the U.S. after Satyam’s equities -listed in New York- lost 82% of their market value in two weeks.

Many implications arise out of this scandal. The first question that comes to mind is how such big fraud could happen without anybody noticing it. Although Mr. Raju claims that only few people knew about the scam, the country’s regulators, including Sebi and India’s Institute of Chartered Accountants, have promised an investigation. This will lead inevitably lead to stricter oversight of auditors; furthermore, analysts believe the rules governing independent directors will need to be tightened to force them to be more accountable. Also, questions are also being asked about governance at India’s other family dominated businesses.

Keyword here? Accountability. Once again, we see the need of an independent auditing platform for securing and making kind of sensitive data tamper-evident, like the Kinamik Secure Audit Vault. Having this kind of platforms in place acts as a deterrent: if any user (even the most privileged ones) has the certainty that his/hers trails are being “recorded”, and cannot be covered, the occurrence of these kind of scandals would be certainly lower. Users at all levels, up to the c-level will be accountable for their actions, and by counting with trustworthy and tamper-evident sensitive data of all the actions that took place, organizations could even protect the innocent by unquestionably proving not only what was done, but also that nothing has been changed.

You can read more about the Kinamik Secure Audit Vault here .

A recent article at Forbes online commented on the possible relation between the raise in cybercrime and the current economic crisis. Although hard to unquestionably prove the statement, it pointed out some data provided by McAfee, according to which there has been a raise in the number of malicious software plaguing the Internet in recent months. Even harder data (still by McAfee) show that this raise in attacks began in March 2008, when it went from the 30,000 or 40,000 detected in earlier months, up to 170,000. And this was even before the credit crisis hit the technology sector.

The article points that the reason for this could be the amount of savvy employees that suddenly find themselves without jobs, and are pushed to “the other side” and commit fraudulent acts that they otherwise wouldn’t do. In that respect, the real threat comes when disgruntled employees that leave companies, take customer records with them to sell them on the black market.

So how to deal with this? Many organizations are focusing on improving their security systems; but at Kinamik we believe that this is clearly not enough. For us, one of the best ways of dealing with insider threat is by having a system like the Kinamik Secure Audit Vault, which could collect and centralize auditing data, making it tamper-evident. This way organizations can hold users, even the most privileged ones, accountable for their actions beyond any shadow of doubt. This kind of system acts clearly as a deterrent for illegal actions, pretty much like a CCTV, and a sign like “We always prosecute thieves” would do in a real-life shop. Wrong-doers (i.e. any disgruntled ex-employee) would think twice before committing an illegal action if he/she would be certain that his or her tracks cannot be covered and erased (and if they try to do so, it would show even more).

Accountability beyond any doubt is the key here. Security without proper accountability is just not enough.

At Kinamik we firmly believe that guarantying the trustworthiness (read: integrity) of any set of data used in a GRC implementation will very soon become a key requirement. There are many elements that show us that this is particularly true (you can read about it here and here). All these elements could be seen as a “positive” proof that reinforces our view. But not all of the signs out there are positive… quite the opposite.

We are already seeing an increasing number of data manipulation scandals on front pages, and it is fair to think that many more are to come. So we have decided to participate in this public debate by commenting each time we hear about one of these cases.

The first post of this Wall of Shame series goes to the recent $350 million (265 million euro) Lloyds TSB agreed to pay to the US authorities after being charged of tampering and falsifying records so Lloyds TSB clients from Iran, Sudan and Libya could do business within the US banking system. By doing these modifications in the records Lloyds was violating the International Emergency Economic Powers Act, which allows blocking commerce with countries that were deemed a threat to the United States.

According to US prosecutors, the bank’s misconduct took place for over 12 years, between 1995 and 2007. Lloyds’ actions -known as stripping- meant faking or completely erasing information such as customer names, bank names and addresses so wire transfers can go undetected through filters at the US banks.

Lloyds TSB declared that they fully cooperated in the investigation, and said that they were “committed to running our business with the highest levels of integrity and regulatory compliance across all of our operations, and have undertaken a range of significant steps to further enhance our compliance programs”.

Indeed, an enhancement in their compliance program could have prevented the tampering of these electronic records by Lloyds’ employees. In fact, one the best ways of actually improving a compliance program is by making electronic records tamper-evident, so they could be unquestionably trustworthy, like the Kinamik Secure Audit Vault. By having this kind of system in place, a simple check-up on audit data may have detected that there was something wrong, and these kinds of actions would not have been undetected for over 12 years.

You can read more about this case here.

I found an interesting article that explains that a new ruling in the US is forcing companies to preserve their metadata in an immutable way. (NOTE: metadata describes how, when and by whom a particular set of data was collected and how the data is formatted. It is essential for understanding information stored in data warehouses and has become increasingly important in, for example, XML-based Web applications).

In the court case referred in the article (Aguilar v. Immigration & Customs Enforcement Div. of U.S. Dep’t of Homeland Sec.), a U.S. District Court ruled that metadata associated with e-mails and electronic files must be preserved, maintained and produced in the course of legal discovery.

The Aguilar decision emphasizes the importance of metadata preservation in the course of e-discovery. Metadata can be used for authentication, search and analysis while also offering evidential value such as when the file was created or accessed. This ruling shows that organizations now must be ready to present metadata if requested, and it should be kept and preserved in a way that its legal admissibility is not questioned. In other words, organizations must be able to unquestionably prove that metadata is trustworthy and was preserved in an immutable way.

One solution for that would be being prepared to retain more information on WORM format, as this can help preserve the data and metadata. However, using Kinamik Secure Audit Vault is a  more efficient and cheaper alternative for preserving data with integrity (i.e. it can not be altered) than WORM disks. By using Kinamik’s solution, organizations can use any normal disk to achieve immutability of their data with a software.

Once again, this is the proof for the need of anti-tampering solutions.

The British Standards Institution (or BSI) has recently published the BSI 10008, a new standard that focuses on the evidential weight of electronic information. It establishes up a set of requirements organizations should follow in their data management procedures for ensuring… yes, you got it: the integrity of information.

The new standard’s name is quite self-explanatory: “Evidential weight and legal admissibility of electronic information. Specification”. As the BSI website states, “legal admissibility concerns whether or not a piece of evidence would be accepted by a court of law. To ensure the admissibility, information needs to be managed by a secure system throughout its lifetime (which can be for many years). Where doubt can be placed on the information, the evidential weight may well be reduced, potentially harming the legal case”. The BSI 10008 is aimed therefore to ensure that any piece of electronic information used in a Court of Law has the maximum evidential weight.

There are many interesting aspects here. First, it shows the need of clearly establishing guidelines and a common framework for how to deal with electronic data and digital evidence. And second -but no less important- it outlines how data integrity is a key aspect in information management.

We just bought a copy of the standard. We’ll read it and publish some thoughts… Stay tuned.

Pretty much everybody agrees that 2009 will be key on how the current economic crisis develops. It will certainly change many aspects of our personal and professional lives. And when trying to identify how the e-discovery market will evolve, the folks at Clearwell Systems have produced a list of ten predictions for this year. They respond mainly to greater financial and legal stress, calling for more collaboration, control and proactive readiness in the matter.

So here’s the list, via MarketWatch. Enjoy:

1. Government Investigations Increase: the economic tensions and increase in high-profile scandals will lead to a natural rise in government investigations, compliance audits and data requests.

2. Corporations Take More Control Over e-Discovery: e-discovery processes go “in-house” for having more control and reducing costs. Organizations will then see that a proper proactive approach will bring cost-reduction opportunities for organizations when an e-discovery process takes place.

3. Industry Push For Collaboration: improving collaboration efforts will reduce costs and conflicts.

4. Federal Rules of Evidence (FRE) 502 Helps Automated Reviews: the use of automated analytical tools will be on the rise, reducing costs and lowering the time and money associated with inadvertent disclosure of privileged information.

5. “Showing Your Work” Becomes Mandatory: technology must be transparent and auditable, with organizations in the need of not only showing but also proving transparency and good practice.

6. Solving Colloquial E-Discovery Is Top of Mind: new technologies such as voicemail, instant messaging, web 2.0 and others must be included in the e-discovery process. Trustworthy auditing becomes the key aspect here.

7. Global Economic Downturn Drives Global E-Discovery: e-discovery will go international and therefore more complex. E-discovery technologies will be in the need to address privacy and data protection issues, in line with international compliance requirements.

8. Information Stores Will be Mapped: in line with prediction #1, there will be an increasing need for organizations to clearly map their electronically stored information. This means the capacity of retaining, archiving, searching and producing whatever information is required.

9. Integration Happens Across the EDRM Framework: integration will be the key for e-discovery technologies this year.

10. Information Management Shows Positive ROI: proper information management is no longer related solely to good practices, but will also have a clear cost-saving effect. Being unprepared and having unmanaged data stores will bring enormous costs if an e-discovery process comes into play. The key here is having a proper forensic readiness approach.