Perimeter
1/30/2013
02:28 PM
Wendy Nather
Wendy Nather
Commentary
50%
50%

Going Green With Your Ones And Zeros

For better security, use less data

I know what you’re thinking. "This is the same person who wrote 'Log All The Things,' right?" And of course everyone wants to do so because of Big Data. But there’s another angle to logging and monitoring, along with the rest of your enterprise data, and that’s what I’m calling the "principle of least use."

Your confidential data is radioactive. It contaminates any container it touches, whether it’s a file, database, or server. You can’t always keep track of it; you don’t necessarily know for sure where it flows, who’s accessing it, or what it’s used for. And regular data can become radioactive if it comes in contact with the confidential stuff. So to keep the contagion from spreading -- the liability plague, so to speak -- you’re better off keeping that confidential data in as few places and states as possible.

Your legal department will tell you that the less data you keep, the less is discoverable in a lawsuit. The less you store, the less can be deemed responsive to a public information act request. This is why some government agencies can have very short email retention policies, for example. And most of you already know that the fewer places you keep credit-card data, the fewer systems are in scope for PCI compliance. Overall, the less you have, the less you need to protect.

But it’s not just about storage or transmission; it’s about use. For the sake of privacy, applications should not collect or process any personally identifying information that they don’t have to. Sometimes architects want to add all sorts of things to the data model because "you never know if you might need it later." Or they’re going to import data that’s being used for a different purpose, and it’s too much trouble to reformat or strip out the parts they don’t need. That’s how you end up with Big Data, or perhaps Data Bloat (which is unintentional Big Data).

So security architects should be thinking not just about how to implement the principles of least privilege and separation of duties; they should also be thinking about overuse of data, and about cleaning up data after its use (or, at the very least, sanitizing it). Especially when it comes to data about people -- if you don’t need to know or discover something about an individual, then don’t. And don’t leave data laying around for someone to recombine later into radioactive material.

Where does this leave logs, you ask? Yes, the whole point of keeping logs is to have a history of what happened, be able to diagnose things after the fact, and so on. Compliance may require you to keep certain logs for certain periods of time. There’s not much you can do about any of that. But you can look at any other logging that’s going on -- particularly application logging, which might be writing all sorts of confidential information to make troubleshooting easier (including passwords!). Don’t send the logs all over the place; don’t share them where you don’t have to. Everything in a log should have a good reason for being there, and anything that uses the log data should be doing it for known purposes.

In other words, treat your log data as the valuable resource that it is, and make conservation part of your policies. Keep radioactive logs separate from nonradioactive ones. Know what liabilities you’re keeping along with your event data. Use only what you need. I’m not calling for a ban on plastic, but think green, sustainable syslog. And thank you for not littering.

Wendy Nather is Research Director of the Enterprise Security Practice at the independent analyst firm 451 Research. You can find her on Twitter as @451wendy.

Wendy Nather is Research Director of the Enterprise Security Practice at independent analyst firm 451 Research. With over 30 years of IT experience, she has worked both in financial services and in the public sector, both in the US and in Europe. Wendy's coverage areas ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-1637
Published: 2015-03-06
Schannel (aka Secure Channel) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly restrict TLS state transitions, which makes it easier for r...

CVE-2014-2130
Published: 2015-03-05
Cisco Secure Access Control Server (ACS) provides an unintentional administration web interface based on Apache Tomcat, which allows remote authenticated users to modify application files and configuration files, and consequently execute arbitrary code, by leveraging administrative privileges, aka B...

CVE-2014-9688
Published: 2015-03-05
Unspecified vulnerability in the Ninja Forms plugin before 2.8.10 for WordPress has unknown impact and remote attack vectors related to admin users.

CVE-2015-0598
Published: 2015-03-05
The RADIUS implementation in Cisco IOS and IOS XE allows remote attackers to cause a denial of service (device reload) via crafted IPv6 Attributes in Access-Accept packets, aka Bug IDs CSCur84322 and CSCur27693.

CVE-2015-0607
Published: 2015-03-05
The Authentication Proxy feature in Cisco IOS does not properly handle invalid AAA return codes from RADIUS and TACACS+ servers, which allows remote attackers to bypass authentication in opportunistic circumstances via a connection attempt that triggers an invalid code, as demonstrated by a connecti...

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.