Thought Provoking Survey
So I got to thinking about security and how this relates to developers in particular. This was prompted by a recent read of the findings reported in a survey, “2014: The Year of Encryption” conducted by Egress Software Technologies, of delegates at Europe’s largest information security event Infosecurity Europe 2014. And you know the first and almost overwhelming thought that struck me was how important security should be for these folk. Why? Because by the very nature of their work the information they will be storing, sharing or exchanging will be proprietary and possibly ground breaking. Developers bring new products to market in a very competitive world where keeping one’s secrets secret until the very last moment before publishing can mean the difference to your market lead and thus your ultimate success.
2014 Market Survey Infographic
Obvious Risk But…
An obvious observation you would think but then when you read that; “only 17% of those surveyed said their existing secure information sharing system was easy to use” and even more worryingly; “100% of those not interested is security systems admitted to regularly sharing sensitive/confidential data with external third parties”. I wonder if these figures stack-up when applied to developers as a community? I have no research data to refer to here but relying on my twenty plus years experience of working in the IT security arena I would not be surprised if they did.
As with most things in this life you can distil security down to the core basic requirements and thereby be sure you are concentrating your effort to find the correct solution for your given situation. When it comes to shared information for the development community my take on it would be something like this:
- Transfers between team member and the rest of the team
- Latest version source code
- Transfers between testing team and development
- Stored latest beta code
Your view would obviously be different dependant on your circumstances but hopefully you get the idea I’m driving at.
Follow the Data Security
The crucial thing here is the release of information to specific people or groups of people with confidence that only those people and groups can access that information. Additionally you would want to know that these various end points of distribution could not compromise the security by passing on this information in an insecure way to unauthorised people or groups. In other words you would want the security “envelope” to be wrapped around the data and travel with it throughout it’s lifetime. By adopting this “follow the data model” where the secure envelope travels with the data throughout it’s lifetime we have further distilled the core element to one of access control to each data package.
This is all very good stuff but it’s beginning to sound terribly complicated I hear you say. Well that is dependent on the underlying security architecture. It is imperative that the security you adopt is simple and fast to use with maybe no more than one or two extra clicks of the mouse. The focus is sharper still and the distilled core now looks more like this:
- Follow the Data Security
- Ease of use
We’re not going to be able to get much sharper than this, so the next step is to review our understanding of the gains to be made by adopting this approach and then to ask can such a system be easily integrated with our legacy systems since cost will also be an issue when asking management for the go ahead.
The Gains that You Win
To measure the gains that you win when adopting a system of follow the data security can best be expressed by a few examples:
We can all imagine the situation where we pass sensitive information to an authorised member of the team who then without thinking forwards this to a third party for either legitimate reasons connected with their job function or should they deliberately passes on the data to deliberately compromise the project. In both cases the data owner will be requested to grant access to this new person.
Or how about the authorised member of the team that has access to the data but subsequently leaves the team. Should they continue to have that access right? With the follow the data security model you can revoke that person’s access rights in real time.
Follow the data security can be used to control access to that data by event, time or date for instance coupled that with a person’s access rights and you have an amazing level of control over the release or access to your shared data.
Follow the data security is there independently of the transport mechanism or for that matter the storage medium.
Follow the data security by its very nature provides an audit trail of who did what to it where and when and what unauthorised attempts to access it were made, also where and when will be recorded.
You can begin to see how flexible this type of system can be, but is it possible and can it be integrated into the way we work and our current architecture?
Describing the Model
For follow the data security to work and work every time it requires that the data owner/creator defines the security to be applied. Such factors as who will be granted access, when is access to be granted are there any time constraints regarding when and for how long.
It’s a given that the underlying tool being used to envelop and secure the data will be encryption. I don’t intend to discuss encryption in any depth here but suffice to say that it must be robust encryption that has been securely implemented and independently certified as fit for purpose. There are few better places to get approval from than the UK Government’s Certified Product Assurance (CPA) programme led by CESG. Adopting a product whose encryption module has been approved through this scheme gives the user the comfort that the product “does what it say on the tin”.
There is absolutely no reason why this type of system could not be inserted into most existing work processes with minimum fuss. When you send email, use file transfer protocols, copy to removable media a rule-based system could kick in and automatically add the encryption layer and ask for the recipients list. By linking the public/private key encryption to the individuals email address it guarantees this unique entity would be the authorised recipient. In this way there is no need for the user to be concerned about key pairs etc. The whole complicated issue of encryption is hidden from the user experience and as a consequence it makes for extreme ease of use.
Securing the Cloud
Hopefully you will see how by adopting follow the data security it has the effect of securing the Cloud. It adds further security by the fact that each data package could have it’s own unique key pair still associated the sender and receiver’s email addresses by different for each exchange made. How does this improve security? It means that should one exchange be compromised it does not affect any previous or subsequent exchange. Each exchange has to be broken or compromised independently.
Follow the data security is the way forward! If you want further information about products certified by CESG visit Cesg.gov.uk and for information about Egress Switch large file transfer and file encryption software visit: Egress.com
By Paul Simms