The Immutable kBlog: thoughts on data integrity

At Kinamik we firmly believe that guarantying the trustworthiness (read: integrity) of any set of data used in a GRC implementation will very soon become a key requirement. There are many elements that show us that this is particularly true (you can read about it here and here). All these elements could be seen as a “positive” proof that reinforces our view. But not all of the signs out there are positive… quite the opposite.

We are already seeing an increasing number of data manipulation scandals on front pages, and it is fair to think that many more are to come. So we have decided to participate in this public debate by commenting each time we hear about one of these cases.

The first post of this Wall of Shame series goes to the recent $350 million (265 million euro) Lloyds TSB agreed to pay to the US authorities after being charged of tampering and falsifying records so Lloyds TSB clients from Iran, Sudan and Libya could do business within the US banking system. By doing these modifications in the records Lloyds was violating the International Emergency Economic Powers Act, which allows blocking commerce with countries that were deemed a threat to the United States.

According to US prosecutors, the bank’s misconduct took place for over 12 years, between 1995 and 2007. Lloyds’ actions -known as stripping- meant faking or completely erasing information such as customer names, bank names and addresses so wire transfers can go undetected through filters at the US banks.

Lloyds TSB declared that they fully cooperated in the investigation, and said that they were “committed to running our business with the highest levels of integrity and regulatory compliance across all of our operations, and have undertaken a range of significant steps to further enhance our compliance programs”.

Indeed, an enhancement in their compliance program could have prevented the tampering of these electronic records by Lloyds’ employees. In fact, one the best ways of actually improving a compliance program is by making electronic records tamper-evident, so they could be unquestionably trustworthy, like the Kinamik Secure Audit Vault. By having this kind of system in place, a simple check-up on audit data may have detected that there was something wrong, and these kinds of actions would not have been undetected for over 12 years.

You can read more about this case here.

I found an interesting article that explains that a new ruling in the US is forcing companies to preserve their metadata in an immutable way. (NOTE: metadata describes how, when and by whom a particular set of data was collected and how the data is formatted. It is essential for understanding information stored in data warehouses and has become increasingly important in, for example, XML-based Web applications).

In the court case referred in the article (Aguilar v. Immigration & Customs Enforcement Div. of U.S. Dep’t of Homeland Sec.), a U.S. District Court ruled that metadata associated with e-mails and electronic files must be preserved, maintained and produced in the course of legal discovery.

The Aguilar decision emphasizes the importance of metadata preservation in the course of e-discovery. Metadata can be used for authentication, search and analysis while also offering evidential value such as when the file was created or accessed. This ruling shows that organizations now must be ready to present metadata if requested, and it should be kept and preserved in a way that its legal admissibility is not questioned. In other words, organizations must be able to unquestionably prove that metadata is trustworthy and was preserved in an immutable way.

One solution for that would be being prepared to retain more information on WORM format, as this can help preserve the data and metadata. However, using Kinamik Secure Audit Vault is a  more efficient and cheaper alternative for preserving data with integrity (i.e. it can not be altered) than WORM disks. By using Kinamik’s solution, organizations can use any normal disk to achieve immutability of their data with a software.

Once again, this is the proof for the need of anti-tampering solutions.

The British Standards Institution (or BSI) has recently published the BSI 10008, a new standard that focuses on the evidential weight of electronic information. It establishes up a set of requirements organizations should follow in their data management procedures for ensuring… yes, you got it: the integrity of information.

The new standard’s name is quite self-explanatory: “Evidential weight and legal admissibility of electronic information. Specification”. As the BSI website states, “legal admissibility concerns whether or not a piece of evidence would be accepted by a court of law. To ensure the admissibility, information needs to be managed by a secure system throughout its lifetime (which can be for many years). Where doubt can be placed on the information, the evidential weight may well be reduced, potentially harming the legal case”. The BSI 10008 is aimed therefore to ensure that any piece of electronic information used in a Court of Law has the maximum evidential weight.

There are many interesting aspects here. First, it shows the need of clearly establishing guidelines and a common framework for how to deal with electronic data and digital evidence. And second -but no less important- it outlines how data integrity is a key aspect in information management.

We just bought a copy of the standard. We’ll read it and publish some thoughts… Stay tuned.

Pretty much everybody agrees that 2009 will be key on how the current economic crisis develops. It will certainly change many aspects of our personal and professional lives. And when trying to identify how the e-discovery market will evolve, the folks at Clearwell Systems have produced a list of ten predictions for this year. They respond mainly to greater financial and legal stress, calling for more collaboration, control and proactive readiness in the matter.

So here’s the list, via MarketWatch. Enjoy:

1. Government Investigations Increase: the economic tensions and increase in high-profile scandals will lead to a natural rise in government investigations, compliance audits and data requests.

2. Corporations Take More Control Over e-Discovery: e-discovery processes go “in-house” for having more control and reducing costs. Organizations will then see that a proper proactive approach will bring cost-reduction opportunities for organizations when an e-discovery process takes place.

3. Industry Push For Collaboration: improving collaboration efforts will reduce costs and conflicts.

4. Federal Rules of Evidence (FRE) 502 Helps Automated Reviews: the use of automated analytical tools will be on the rise, reducing costs and lowering the time and money associated with inadvertent disclosure of privileged information.

5. “Showing Your Work” Becomes Mandatory: technology must be transparent and auditable, with organizations in the need of not only showing but also proving transparency and good practice.

6. Solving Colloquial E-Discovery Is Top of Mind: new technologies such as voicemail, instant messaging, web 2.0 and others must be included in the e-discovery process. Trustworthy auditing becomes the key aspect here.

7. Global Economic Downturn Drives Global E-Discovery: e-discovery will go international and therefore more complex. E-discovery technologies will be in the need to address privacy and data protection issues, in line with international compliance requirements.

8. Information Stores Will be Mapped: in line with prediction #1, there will be an increasing need for organizations to clearly map their electronically stored information. This means the capacity of retaining, archiving, searching and producing whatever information is required.

9. Integration Happens Across the EDRM Framework: integration will be the key for e-discovery technologies this year.

10. Information Management Shows Positive ROI: proper information management is no longer related solely to good practices, but will also have a clear cost-saving effect. Being unprepared and having unmanaged data stores will bring enormous costs if an e-discovery process comes into play. The key here is having a proper forensic readiness approach.

I came across a very interesting post today.  It  seems that when Google was requested to present evidence for a case early this year,  they alleged that due to the complexity of their e-mail structure they could present it, but  that  it would be very difficult and expensive to search and find exactly what was needed. I guess it makes sense, since they are so technologically behind the curve…

Leaving any sight of sarcasm behind, this puts into focus a simple -and enormous- truth: the high costs of any e-discovery process, specifically when organizations are requested to search among their data to produce evidence. If Google claims the process is difficult and too costly, any other company should really stop for a second and think on how to tackle this issue.

The first solution that may come to mind would be to improve searching capabilities for finding exactly what is needed. This solution, though, may produce what is called  a  “false negative” if a relevant file is not found, or  a “false positive” if something that is not relevant for the case is found  – recent findings suggest that 70% of the total documents revised in an e-discovery process are false positive findings. This proves that the correct approach should be not just having a good searching tool, but -as the columnist mentions- also that  organizations should “take available technological measures to preserve documentation for legal proceedings”. Having “the ability to preserve new documents as they are created” is key to this.

This brings me to what we do at Kinamik… which is exactly that! We build a centralized, independent and Secure Audit Vault that serves as a safe for all the sensitive data -such as audit trails-, making  them tamper-proof in the process for a future proof preservation. And of course, search capabilities are also available in that audit vault. Well … maybe I should give Google a ring?

It is common nowadays that banks offer different value-added services to their customers. Doing banking operations by phone or through the Internet is an everyday practice that obviously requires some kind of authentication; this matter is commonly addressed by -at the minimum- using some kind of password.

So if you go through life certain that your bank passwords are safe, and nobody can access that delicate piece of information… think again. As Bruce Schneider reports in his blog, this funny story has a bit of a worrying level underneath.

Summarizing the story up, Steve Jetley -a Lloyd’s TSB bank customer- decided to set his bank password as “Lloyd’s is pants”, just to find later that his password had been changed to “no it’s not” by a bank employee without Mr. Jetley knowing about this. The story gets worse when -after realizing the change- he tried to change it back to his original password or another similar such as “Barclays is better” on the grounds that it was “too long” (Barclays is a competitor of Lloyd’s). Even the password “censorship” wasn’t allowed.

Mr. Jetley received a full apology from the bank and the employee (I don’t know if the one that changed the password in the first place or the one that refused to accept the new ones given) was dismissed.

I think that leaving aside the possible comical side of this story, what worrying about this case is that banks are keeping their passwords in flat, non-encrypted forms in their databases. Why would an employee be able to see any client’s password? Or even further, why would an employee need to see any client’s password? So here for me there are two important issues:

1) confidentiality: makes me wonder how many of these important passwords that I have (banking, payment platforms, etc.) are still unencrypted, and

2) accountability: why would an employee see a client’s password?

I guess that the reason is that people (i.e. IT Managers, System Administrators, or even employees) access data for a plain and simple reason: because they can. If proper audit trails systems would be put in place, if there would be any kind of system that could serve as a “surveillance camera” that can prove irrefutably all the access and modification to data, there would be an automatic deterrence for this kind of behavior. People would not be sniffing around information they shouldn’t be looking at if they knew that all their actions were being audited, that these audit trails could not be tampered with and consequently they can -and probably would- be held accountable for their actions.

We are still about a month and a half before the official 1.2 version of the PCI Data Security Standard is officially published. A couple of days ago a summary of the changes was published in the official PCI Security Standards Council, and so far (this is just a summary) no dramatic changes were presented.

Whenever a new version of this kind of standards is published, different questions appear. For example, what happens with companies that are currently on the certification process? Well, these companies have nothing to worry about, since the PCI Security Standards council states that if a company is under the assessment process they can use the v.1.1 of the standard, even if they finish the assessment process after the official publication of version 1.2 in October.

For us working in the security area, in a snapshot some changes seemed rather obvious, some clarified “blurry” aspects of the standard, but it seems (can’t really say until the official 1.2 is published) to be still some ambiguity out there. I must say that I’m personally disappointed that -in this summary- no changes were mentioned about the needed integrity of the logs. The previous 1.1 version of the standard mention that logs “should be protected against unauthorized modifications”, which makes me wonder: what kind of authorized modification should be done to a log file? Aren’t log files meant to be logging exactly what happened?

More comments will be done as soon as the official PCI-DSS v.1.2 is released.

Public Health Records (PHR) allow individual to save, post, manage and share all their health record information via the Internet. Advantages associated to the use of this kind of tools are rather obvious: forget about trying to remember if you are allergic to this or that medication; don’t bother walking all the way to the doctor with your new test results, just to realize when it’s your turn to go talk to the doctor that you forgot home the previous results. Everything will be available online, but only for the people that you allowed to, and under the conditions that you stated.

Or at least in theory.

The adoption of PHR has been slower than assumed, mainly due to lack of trust in the protection of that data, according to Zöe Baird, president of the Markle Foundation. As a response, a group formed by technology companies, providers, health insurers and consumer groups released last June a common framework that will help consumers gain trust in these technologies. It is expected that this joint effort will boost its acceptance and use.

The framework consists of nine consumer policies that rely on seven different support technologies. It is no surprise that one of these technologies (CT3) is Immutable Audit Trails, and four of these nine consumer policies are based on the immutability of the audit trails. This, in other words, means that audit trails -files that track the use, access, modification or deletion of any data- must have integrity and be tamper evident: the integrity of this audit trails must be evident.

Security concerns have been shifting over the years: first on availability, later -in recent years- to confidentiality, and we totally agree with what David Lacey, one of the leading authorities in Information Security Management thinks.

As final users, we see the importance of data integrity only after an attack has occurred, or data has been tampered with. The impact of any change -be it malitious or accidental- is huge. Today, data integrity is percieved more as a “nice to have” than a “must have”… rarely enough stress is put in this.

Gradually people and enforcers are realising the potencial danger associated to “false proofs”. We in Kinamik believe that data integrity will be, quoting Mr. Lacey, “the next big threat”.

The PCI Consortium is currently working on the new PCI DSS Standard, which will be version 1.2. While reviewing the 12 requirements we came out with a surprising point:

Requirement 10.5.2 states that “Audit Trails files should be protected against unauthorized modifications”. We feel that there are is no case for an authorized modification of an audit trail file and hence the word “unauthorized” should be replaced with “all”. Audit trail files should be absolutely immutable to be of any use in a legal or regulatory context.

So, we hope that erasing this “unauthorized” term will happen in the new release. We’ll keep you posted.