The Immutable kBlog: thoughts on data integrity

Last week Finnish parliament approved a controversial law that allowed employers to track on their employee’s emails. This law, named “Lex Nokia” (Latin for “Nokia’s law”) was strongly supported by Finnish employer’s organizations; the name relates to Nokia due to a report by a respected Finnish newspaper reported some weeks ago that Nokia was threatening to leave the country if the law was not approved. The news, obviously was echoed around the Internet. Nokia has denied these accusations.

The laws does not actually allow employers to check on their worker’s emails and read their communications. It gives them the right to track them, though, by retaining associated information to those emails such as recipients, senders and the time when those emails have been read or sent. Employers can also check if emails have attachments, and data related to them. This law, of course, has created a big amount of discussion among civil rights groups, employers organizations and the Finnish society.

What we think is interesting is the way this is evolving. It seems that it is becoming an undeniable fact that business are in the need of defending themselves from corporate espionage. But there’s also the fact that allowing employees to check on some information about their worker’s email may open the door for abuses. The direct relation between being allowed to do it and the certainty of abusing this law is a matter of debate. The important issue here is that it will certainly put doubts in each worker’s mind: is my boss checking my emails?. So the key element here is the ability to prove, unquestionably, that emails have or have been not checked. And this is where the Kinamik Secure Audit Vault can be the final solution.

Of course, these accesses to the worker’s emails must be audited. But auditing does not provide a sufficient solution, since these audit data can be easily changed, specially when users have high privileges or power. By collecting, centralizing and securing this audit information with the Kinamik Secure Audit Vault, employers will not only gain in efficiency and lower auditing and compliance costs, but they would also be able to provide something harder to quantify but not less important: their employee’s trust. Being able to prove, without any doubt, that the audit recors that show who has done what have not been changed will certainly provide ease of mind to every single person in an organization. Knowing that there’s an always-on, tamper-evident watching system like this should definitely be the standard best practice whenever any organization wants to exercise their right of checking their workers’ emails.

One last note: I have been asked many times in the past why any worker organization would accept to implement a system like this into any organization, since they feel that they will be constantly watched. Well, the reasons mentioned above are exactly why: this kind of systems are not accussatory systems; they are protective systems, that allow the guilty to be proven guilty, and the innocent to be confident that his or her innocence will be unquestionably shown.

We’ve already mentioned that data integrity is going to be the next big threat. Well, Sarb Sembhi,  president of the London chapter of ISACA, also thinks like that.
In this very intresting short article, Mr. Sembhi points out something many people think: there are many more attacks than the ones disclosed to the public. He also points out that, tied with the economic climate we currently have, several high-profile fraud cases are being discovered (and we think that unfortunately there are many more to come). Although not directly linked, he implies also that high-value frauds and data integrity attacks are closely related. The likeliness of data integrity being part of these data manipulations increases as the total value of the fraud gets higher; hence, it wouldn’t be wrong to assume that -again- the lack of proper data integrity protection tools certainly doesn’t help preventing this type of cases in organizations.

We are working for showing Mr. Sembhi that we are what he misses: a data integrity protection solution aimed at protecting every type of data.

In the meantime, he mentions a fact as true as the sky is blue: it all starts with putting proper procedures in place. For reducing the organization’s exposure to data integrity attacks (and to high-value frauds), Mr. Sembhi mentions:

• “Create policies and procedures for data quality and data integrity
• Create policies and procedures to identify the extent of the problem and record incidences of data integrity compromises and suspected incidents of fraud
• Ensure information assets are correctly valued, (including configuration and log files, and meta data)
• Undertake threat assessment of valued data
• Take a risk management approach to protecting data integrity
• Ensure adequate protection of all data that is relied upon for investigatory purposes
• Include data integrity protection as part of security awareness programme”