The Immutable kBlog: thoughts on data integrity

This week’s Wall of Shame post is about the recent Satyam Computers’ scandal, the Indian IT outsourcing giant.

The scandal, reported extensively in the media, is the biggest-ever corporate fraud in the India’s history. Satyam’s former CEO, Ramalinga Raju, admitted he had been cooking the books of his firm for the last years. In his statement, Mr. Raju said that about $1bn (€0.75bn), reflecting 94% of the cash on the company’s books, was made up. The fraud he perpetrated was so large and complex that Indian business people are already calling it the “India’s Enron”.

But this immense fraud scandal does not end here. Just like in Enron’s case -in which one of the “Big Five” accounting firms, Arthur Andersen, was finished-, now one of the remaining “Big Four” is finding itself in the middle of this turmoil: PriceWaterhouseCoopers is in the spotlight.

Bloomberg.com reports that two PriceWaterhouseCoopers auditors have just been arrested, putting the auditing organization in the center of attention. It is the first time in India’s history that an auditor has been detained for failing to ensure a client’s financial integrity. PriceWaterhouseCoopers LLP may even face scrutiny in the U.S. after Satyam’s equities -listed in New York- lost 82% of their market value in two weeks.

Many implications arise out of this scandal. The first question that comes to mind is how such big fraud could happen without anybody noticing it. Although Mr. Raju claims that only few people knew about the scam, the country’s regulators, including Sebi and India’s Institute of Chartered Accountants, have promised an investigation. This will lead inevitably lead to stricter oversight of auditors; furthermore, analysts believe the rules governing independent directors will need to be tightened to force them to be more accountable. Also, questions are also being asked about governance at India’s other family dominated businesses.

Keyword here? Accountability. Once again, we see the need of an independent auditing platform for securing and making kind of sensitive data tamper-evident, like the Kinamik Secure Audit Vault. Having this kind of platforms in place acts as a deterrent: if any user (even the most privileged ones) has the certainty that his/hers trails are being “recorded”, and cannot be covered, the occurrence of these kind of scandals would be certainly lower. Users at all levels, up to the c-level will be accountable for their actions, and by counting with trustworthy and tamper-evident sensitive data of all the actions that took place, organizations could even protect the innocent by unquestionably proving not only what was done, but also that nothing has been changed.

You can read more about the Kinamik Secure Audit Vault here .

A recent article at Forbes online commented on the possible relation between the raise in cybercrime and the current economic crisis. Although hard to unquestionably prove the statement, it pointed out some data provided by McAfee, according to which there has been a raise in the number of malicious software plaguing the Internet in recent months. Even harder data (still by McAfee) show that this raise in attacks began in March 2008, when it went from the 30,000 or 40,000 detected in earlier months, up to 170,000. And this was even before the credit crisis hit the technology sector.

The article points that the reason for this could be the amount of savvy employees that suddenly find themselves without jobs, and are pushed to “the other side” and commit fraudulent acts that they otherwise wouldn’t do. In that respect, the real threat comes when disgruntled employees that leave companies, take customer records with them to sell them on the black market.

So how to deal with this? Many organizations are focusing on improving their security systems; but at Kinamik we believe that this is clearly not enough. For us, one of the best ways of dealing with insider threat is by having a system like the Kinamik Secure Audit Vault, which could collect and centralize auditing data, making it tamper-evident. This way organizations can hold users, even the most privileged ones, accountable for their actions beyond any shadow of doubt. This kind of system acts clearly as a deterrent for illegal actions, pretty much like a CCTV, and a sign like “We always prosecute thieves” would do in a real-life shop. Wrong-doers (i.e. any disgruntled ex-employee) would think twice before committing an illegal action if he/she would be certain that his or her tracks cannot be covered and erased (and if they try to do so, it would show even more).

Accountability beyond any doubt is the key here. Security without proper accountability is just not enough.

At Kinamik we firmly believe that guarantying the trustworthiness (read: integrity) of any set of data used in a GRC implementation will very soon become a key requirement. There are many elements that show us that this is particularly true (you can read about it here and here). All these elements could be seen as a “positive” proof that reinforces our view. But not all of the signs out there are positive… quite the opposite.

We are already seeing an increasing number of data manipulation scandals on front pages, and it is fair to think that many more are to come. So we have decided to participate in this public debate by commenting each time we hear about one of these cases.

The first post of this Wall of Shame series goes to the recent $350 million (265 million euro) Lloyds TSB agreed to pay to the US authorities after being charged of tampering and falsifying records so Lloyds TSB clients from Iran, Sudan and Libya could do business within the US banking system. By doing these modifications in the records Lloyds was violating the International Emergency Economic Powers Act, which allows blocking commerce with countries that were deemed a threat to the United States.

According to US prosecutors, the bank’s misconduct took place for over 12 years, between 1995 and 2007. Lloyds’ actions -known as stripping- meant faking or completely erasing information such as customer names, bank names and addresses so wire transfers can go undetected through filters at the US banks.

Lloyds TSB declared that they fully cooperated in the investigation, and said that they were “committed to running our business with the highest levels of integrity and regulatory compliance across all of our operations, and have undertaken a range of significant steps to further enhance our compliance programs”.

Indeed, an enhancement in their compliance program could have prevented the tampering of these electronic records by Lloyds’ employees. In fact, one the best ways of actually improving a compliance program is by making electronic records tamper-evident, so they could be unquestionably trustworthy, like the Kinamik Secure Audit Vault. By having this kind of system in place, a simple check-up on audit data may have detected that there was something wrong, and these kinds of actions would not have been undetected for over 12 years.

You can read more about this case here.

I found an interesting article that explains that a new ruling in the US is forcing companies to preserve their metadata in an immutable way. (NOTE: metadata describes how, when and by whom a particular set of data was collected and how the data is formatted. It is essential for understanding information stored in data warehouses and has become increasingly important in, for example, XML-based Web applications).

In the court case referred in the article (Aguilar v. Immigration & Customs Enforcement Div. of U.S. Dep’t of Homeland Sec.), a U.S. District Court ruled that metadata associated with e-mails and electronic files must be preserved, maintained and produced in the course of legal discovery.

The Aguilar decision emphasizes the importance of metadata preservation in the course of e-discovery. Metadata can be used for authentication, search and analysis while also offering evidential value such as when the file was created or accessed. This ruling shows that organizations now must be ready to present metadata if requested, and it should be kept and preserved in a way that its legal admissibility is not questioned. In other words, organizations must be able to unquestionably prove that metadata is trustworthy and was preserved in an immutable way.

One solution for that would be being prepared to retain more information on WORM format, as this can help preserve the data and metadata. However, using Kinamik Secure Audit Vault is a  more efficient and cheaper alternative for preserving data with integrity (i.e. it can not be altered) than WORM disks. By using Kinamik’s solution, organizations can use any normal disk to achieve immutability of their data with a software.

Once again, this is the proof for the need of anti-tampering solutions.

The British Standards Institution (or BSI) has recently published the BSI 10008, a new standard that focuses on the evidential weight of electronic information. It establishes up a set of requirements organizations should follow in their data management procedures for ensuring… yes, you got it: the integrity of information.

The new standard’s name is quite self-explanatory: “Evidential weight and legal admissibility of electronic information. Specification”. As the BSI website states, “legal admissibility concerns whether or not a piece of evidence would be accepted by a court of law. To ensure the admissibility, information needs to be managed by a secure system throughout its lifetime (which can be for many years). Where doubt can be placed on the information, the evidential weight may well be reduced, potentially harming the legal case”. The BSI 10008 is aimed therefore to ensure that any piece of electronic information used in a Court of Law has the maximum evidential weight.

There are many interesting aspects here. First, it shows the need of clearly establishing guidelines and a common framework for how to deal with electronic data and digital evidence. And second -but no less important- it outlines how data integrity is a key aspect in information management.

We just bought a copy of the standard. We’ll read it and publish some thoughts… Stay tuned.

Pretty much everybody agrees that 2009 will be key on how the current economic crisis develops. It will certainly change many aspects of our personal and professional lives. And when trying to identify how the e-discovery market will evolve, the folks at Clearwell Systems have produced a list of ten predictions for this year. They respond mainly to greater financial and legal stress, calling for more collaboration, control and proactive readiness in the matter.

So here’s the list, via MarketWatch. Enjoy:

1. Government Investigations Increase: the economic tensions and increase in high-profile scandals will lead to a natural rise in government investigations, compliance audits and data requests.

2. Corporations Take More Control Over e-Discovery: e-discovery processes go “in-house” for having more control and reducing costs. Organizations will then see that a proper proactive approach will bring cost-reduction opportunities for organizations when an e-discovery process takes place.

3. Industry Push For Collaboration: improving collaboration efforts will reduce costs and conflicts.

4. Federal Rules of Evidence (FRE) 502 Helps Automated Reviews: the use of automated analytical tools will be on the rise, reducing costs and lowering the time and money associated with inadvertent disclosure of privileged information.

5. “Showing Your Work” Becomes Mandatory: technology must be transparent and auditable, with organizations in the need of not only showing but also proving transparency and good practice.

6. Solving Colloquial E-Discovery Is Top of Mind: new technologies such as voicemail, instant messaging, web 2.0 and others must be included in the e-discovery process. Trustworthy auditing becomes the key aspect here.

7. Global Economic Downturn Drives Global E-Discovery: e-discovery will go international and therefore more complex. E-discovery technologies will be in the need to address privacy and data protection issues, in line with international compliance requirements.

8. Information Stores Will be Mapped: in line with prediction #1, there will be an increasing need for organizations to clearly map their electronically stored information. This means the capacity of retaining, archiving, searching and producing whatever information is required.

9. Integration Happens Across the EDRM Framework: integration will be the key for e-discovery technologies this year.

10. Information Management Shows Positive ROI: proper information management is no longer related solely to good practices, but will also have a clear cost-saving effect. Being unprepared and having unmanaged data stores will bring enormous costs if an e-discovery process comes into play. The key here is having a proper forensic readiness approach.