Perimeter
1/30/2013
02:28 PM
Wendy Nather
Wendy Nather
Commentary
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Going Green With Your Ones And Zeros

For better security, use less data

I know what you’re thinking. "This is the same person who wrote 'Log All The Things,' right?" And of course everyone wants to do so because of Big Data. But there’s another angle to logging and monitoring, along with the rest of your enterprise data, and that’s what I’m calling the "principle of least use."

Your confidential data is radioactive. It contaminates any container it touches, whether it’s a file, database, or server. You can’t always keep track of it; you don’t necessarily know for sure where it flows, who’s accessing it, or what it’s used for. And regular data can become radioactive if it comes in contact with the confidential stuff. So to keep the contagion from spreading -- the liability plague, so to speak -- you’re better off keeping that confidential data in as few places and states as possible.

Your legal department will tell you that the less data you keep, the less is discoverable in a lawsuit. The less you store, the less can be deemed responsive to a public information act request. This is why some government agencies can have very short email retention policies, for example. And most of you already know that the fewer places you keep credit-card data, the fewer systems are in scope for PCI compliance. Overall, the less you have, the less you need to protect.

But it’s not just about storage or transmission; it’s about use. For the sake of privacy, applications should not collect or process any personally identifying information that they don’t have to. Sometimes architects want to add all sorts of things to the data model because "you never know if you might need it later." Or they’re going to import data that’s being used for a different purpose, and it’s too much trouble to reformat or strip out the parts they don’t need. That’s how you end up with Big Data, or perhaps Data Bloat (which is unintentional Big Data).

So security architects should be thinking not just about how to implement the principles of least privilege and separation of duties; they should also be thinking about overuse of data, and about cleaning up data after its use (or, at the very least, sanitizing it). Especially when it comes to data about people -- if you don’t need to know or discover something about an individual, then don’t. And don’t leave data laying around for someone to recombine later into radioactive material.

Where does this leave logs, you ask? Yes, the whole point of keeping logs is to have a history of what happened, be able to diagnose things after the fact, and so on. Compliance may require you to keep certain logs for certain periods of time. There’s not much you can do about any of that. But you can look at any other logging that’s going on -- particularly application logging, which might be writing all sorts of confidential information to make troubleshooting easier (including passwords!). Don’t send the logs all over the place; don’t share them where you don’t have to. Everything in a log should have a good reason for being there, and anything that uses the log data should be doing it for known purposes.

In other words, treat your log data as the valuable resource that it is, and make conservation part of your policies. Keep radioactive logs separate from nonradioactive ones. Know what liabilities you’re keeping along with your event data. Use only what you need. I’m not calling for a ban on plastic, but think green, sustainable syslog. And thank you for not littering.

Wendy Nather is Research Director of the Enterprise Security Practice at the independent analyst firm 451 Research. You can find her on Twitter as @451wendy.

Wendy Nather is Research Director of the Enterprise Security Practice at independent analyst firm 451 Research. With over 30 years of IT experience, she has worked both in financial services and in the public sector, both in the US and in Europe. Wendy's coverage areas ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: LOL.
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-3154
Published: 2014-04-17
DistUpgrade/DistUpgradeViewKDE.py in Update Manager before 1:0.87.31.1, 1:0.134.x before 1:0.134.11.1, 1:0.142.x before 1:0.142.23.1, 1:0.150.x before 1:0.150.5.1, and 1:0.152.x before 1:0.152.25.5 does not properly create temporary files, which allows local users to obtain the XAUTHORITY file conte...

CVE-2013-2143
Published: 2014-04-17
The users controller in Katello 1.5.0-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote authenticated users to gain privileges by setting a user account to an administrator account.

CVE-2014-0036
Published: 2014-04-17
The rbovirt gem before 0.0.24 for Ruby uses the rest-client gem with SSL verification disabled, which allows remote attackers to conduct man-in-the-middle attacks via unspecified vectors.

CVE-2014-0054
Published: 2014-04-17
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External ...

CVE-2014-0071
Published: 2014-04-17
PackStack in Red Hat OpenStack 4.0 does not enforce the default security groups when deployed to Neutron, which allows remote attackers to bypass intended access restrictions and make unauthorized connections.

Best of the Web