Information security is a common dilemma in technology community, the lack of initiatives to secure how data are being distributed opens up a notion of threat and absence of responsibility to protect data. Matthew Rosenquist, an information security strategist in Intel Corporation discussed the issue of data security in one of his video blogs (Channelintel October 20, 2009). His video primarily addressed the idea of revolutionizing data security. The precise issues are pointed out in the video blog; however the question is how to start revolutionizing data security and what are necessary to achieve success. There are several suggested solutions and some of them are by setting the level of designation to access confidential data, limiting the right to access sensitive information and pointing out who will have the permission to access them, indexing data files by setting the relationship of each file and lastly imposing definite security on handling pertinent information.
In order to realize those solutions there are critical requirements needed first. The solutions should be applied system wide, security policies have to be embedded from the hardware down to the deleted files. Next is to implement the solution across all users up to the backend infrastructure. It should be done in holistic manner from the time the data was created until it was deleted. All data should possess default security components during creation, transit, storage and when being used. All stored data should undergo verification, tracking, auditing and ownership. Finally, all data should be distributed in a centralized system with constant indexing, auditing and scanning.
One of the best example of data security breach is the news about the resulting effect of PCI DSS failure that caused a massive 10 million VISA and MasterCard users to allegedly had their card information compromised because of the latest attack on the credit card processor system (see references for the news link). The chief marketing officer of a data loss management firm called Co3 Systems estimated that the potential cost of liability for a merchant at 1 million affected credit cards maybe billed for $1.6 million for compliance penalties alone (Armerding, Taylor March 30, 2012).
In my own assessment and point view of the incident, it should have been avoided if the two card companies have already anticipated it and planned ahead to reinforce their security measures since the threat has been detected earlier on and there was a history of the same attack between January 21 and February 25. PCI DSS although a standard system being used by card companies for card processing should have long been overhauled since most of the security systems today are still stuck in the 1990’s. Compliance to the standards is one thing, but protecting the internal system is another. If the current system is insufficient, the card companies will have to initiate their own reinforcement system to backup the PCI DSS in case of failures and attacks until such time the processing system has been revolutionized.
References:
Channelintel (October 20, 2009) It is Time for a Data Security Revolution! Web streaming video Web accessed April 2, 20012 from http://www.youtube.com/watch?v=57Oay8wjHpo
Armerding, Taylor. (March 30, 2012) The PCI effect -- for better or worse -- following fresh breach of MasterCard, VISA Web Retrieved April 2, 20012 from http://www.computerworld.com/s/article/9225709/The_PCI_effect_for_better_or_worse_following_fresh_breach_of_MasterCard_VISA?taxonomyId=203