Perimeter
1/30/2013
02:28 PM
Wendy Nather
Wendy Nather
Commentary
50%
50%

Going Green With Your Ones And Zeros

For better security, use less data

I know what you’re thinking. "This is the same person who wrote 'Log All The Things,' right?" And of course everyone wants to do so because of Big Data. But there’s another angle to logging and monitoring, along with the rest of your enterprise data, and that’s what I’m calling the "principle of least use."

Your confidential data is radioactive. It contaminates any container it touches, whether it’s a file, database, or server. You can’t always keep track of it; you don’t necessarily know for sure where it flows, who’s accessing it, or what it’s used for. And regular data can become radioactive if it comes in contact with the confidential stuff. So to keep the contagion from spreading -- the liability plague, so to speak -- you’re better off keeping that confidential data in as few places and states as possible.

Your legal department will tell you that the less data you keep, the less is discoverable in a lawsuit. The less you store, the less can be deemed responsive to a public information act request. This is why some government agencies can have very short email retention policies, for example. And most of you already know that the fewer places you keep credit-card data, the fewer systems are in scope for PCI compliance. Overall, the less you have, the less you need to protect.

But it’s not just about storage or transmission; it’s about use. For the sake of privacy, applications should not collect or process any personally identifying information that they don’t have to. Sometimes architects want to add all sorts of things to the data model because "you never know if you might need it later." Or they’re going to import data that’s being used for a different purpose, and it’s too much trouble to reformat or strip out the parts they don’t need. That’s how you end up with Big Data, or perhaps Data Bloat (which is unintentional Big Data).

So security architects should be thinking not just about how to implement the principles of least privilege and separation of duties; they should also be thinking about overuse of data, and about cleaning up data after its use (or, at the very least, sanitizing it). Especially when it comes to data about people -- if you don’t need to know or discover something about an individual, then don’t. And don’t leave data laying around for someone to recombine later into radioactive material.

Where does this leave logs, you ask? Yes, the whole point of keeping logs is to have a history of what happened, be able to diagnose things after the fact, and so on. Compliance may require you to keep certain logs for certain periods of time. There’s not much you can do about any of that. But you can look at any other logging that’s going on -- particularly application logging, which might be writing all sorts of confidential information to make troubleshooting easier (including passwords!). Don’t send the logs all over the place; don’t share them where you don’t have to. Everything in a log should have a good reason for being there, and anything that uses the log data should be doing it for known purposes.

In other words, treat your log data as the valuable resource that it is, and make conservation part of your policies. Keep radioactive logs separate from nonradioactive ones. Know what liabilities you’re keeping along with your event data. Use only what you need. I’m not calling for a ban on plastic, but think green, sustainable syslog. And thank you for not littering.

Wendy Nather is Research Director of the Enterprise Security Practice at the independent analyst firm 451 Research. You can find her on Twitter as @451wendy.

Wendy Nather is Research Director of the Enterprise Security Practice at independent analyst firm 451 Research. With over 30 years of IT experience, she has worked both in financial services and in the public sector, both in the US and in Europe. Wendy's coverage areas ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1421
Published: 2014-11-25
mountall 1.54, as used in Ubuntu 14.10, does not properly handle the umask when using the mount utility, which allows local users to bypass intended access restrictions via unspecified vectors.

CVE-2014-3605
Published: 2014-11-25
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-6407. Reason: This candidate is a reservation duplicate of CVE-2014-6407. Notes: All CVE users should reference CVE-2014-6407 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2014-6093
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 7.0.x before 7.0.0.2 CF29, 8.0.x through 8.0.0.1 CF14, and 8.5.x before 8.5.0 CF02 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-6196
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM Web Experience Factory (WEF) 6.1.5 through 8.5.0.1, as used in WebSphere Dashboard Framework (WDF) and Lotus Widget Factory (LWF), allows remote attackers to inject arbitrary web script or HTML by leveraging a Dojo builder error in an unspecified WebSp...

CVE-2014-7247
Published: 2014-11-25
Unspecified vulnerability in JustSystems Ichitaro 2008 through 2011; Ichitaro Government 6, 7, 2008, 2009, and 2010; Ichitaro Pro; Ichitaro Pro 2; Ichitaro 2011 Sou; Ichitaro 2012 Shou; Ichitaro 2013 Gen; and Ichitaro 2014 Tetsu allows remote attackers to execute arbitrary code via a crafted file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?