Perimeter
1/30/2013
02:28 PM
Wendy Nather
Wendy Nather
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Going Green With Your Ones And Zeros

For better security, use less data

I know what you’re thinking. "This is the same person who wrote 'Log All The Things,' right?" And of course everyone wants to do so because of Big Data. But there’s another angle to logging and monitoring, along with the rest of your enterprise data, and that’s what I’m calling the "principle of least use."

Your confidential data is radioactive. It contaminates any container it touches, whether it’s a file, database, or server. You can’t always keep track of it; you don’t necessarily know for sure where it flows, who’s accessing it, or what it’s used for. And regular data can become radioactive if it comes in contact with the confidential stuff. So to keep the contagion from spreading -- the liability plague, so to speak -- you’re better off keeping that confidential data in as few places and states as possible.

Your legal department will tell you that the less data you keep, the less is discoverable in a lawsuit. The less you store, the less can be deemed responsive to a public information act request. This is why some government agencies can have very short email retention policies, for example. And most of you already know that the fewer places you keep credit-card data, the fewer systems are in scope for PCI compliance. Overall, the less you have, the less you need to protect.

But it’s not just about storage or transmission; it’s about use. For the sake of privacy, applications should not collect or process any personally identifying information that they don’t have to. Sometimes architects want to add all sorts of things to the data model because "you never know if you might need it later." Or they’re going to import data that’s being used for a different purpose, and it’s too much trouble to reformat or strip out the parts they don’t need. That’s how you end up with Big Data, or perhaps Data Bloat (which is unintentional Big Data).

So security architects should be thinking not just about how to implement the principles of least privilege and separation of duties; they should also be thinking about overuse of data, and about cleaning up data after its use (or, at the very least, sanitizing it). Especially when it comes to data about people -- if you don’t need to know or discover something about an individual, then don’t. And don’t leave data laying around for someone to recombine later into radioactive material.

Where does this leave logs, you ask? Yes, the whole point of keeping logs is to have a history of what happened, be able to diagnose things after the fact, and so on. Compliance may require you to keep certain logs for certain periods of time. There’s not much you can do about any of that. But you can look at any other logging that’s going on -- particularly application logging, which might be writing all sorts of confidential information to make troubleshooting easier (including passwords!). Don’t send the logs all over the place; don’t share them where you don’t have to. Everything in a log should have a good reason for being there, and anything that uses the log data should be doing it for known purposes.

In other words, treat your log data as the valuable resource that it is, and make conservation part of your policies. Keep radioactive logs separate from nonradioactive ones. Know what liabilities you’re keeping along with your event data. Use only what you need. I’m not calling for a ban on plastic, but think green, sustainable syslog. And thank you for not littering.

Wendy Nather is Research Director of the Enterprise Security Practice at the independent analyst firm 451 Research. You can find her on Twitter as @451wendy.

Wendy Nather is Research Director of the Enterprise Security Practice at independent analyst firm 451 Research. With over 30 years of IT experience, she has worked both in financial services and in the public sector, both in the US and in Europe. Wendy's coverage areas ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5700
Published: 2014-09-22
Multiple cross-site scripting (XSS) vulnerabilities in Baby Gekko before 1.2.2f allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to admin/index.php or the (2) username or (3) password parameter in blocks/loginbox/loginbox.template.php to index.php. NOTE: some o...

CVE-2014-0484
Published: 2014-09-22
The Debian acpi-support package before 0.140-5+deb7u3 allows local users to gain privileges via vectors related to the "user's environment."

CVE-2014-2942
Published: 2014-09-22
Cobham Aviator 700D and 700E satellite terminals use an improper algorithm for PIN codes, which makes it easier for attackers to obtain a privileged terminal session by calculating the superuser code, and then leveraging physical access or terminal access to enter this code.

CVE-2014-3595
Published: 2014-09-22
Cross-site scripting (XSS) vulnerability in spacewalk-java 1.2.39, 1.7.54, and 2.0.2 in Spacewalk and Red Hat Network (RHN) Satellite 5.4 through 5.6 allows remote attackers to inject arbitrary web script or HTML via a crafted request that is not properly handled when logging.

CVE-2014-3635
Published: 2014-09-22
Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows remote attackers to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one m...

Best of the Web
Dark Reading Radio