Have you shopped at a Target store during the last holiday season? Have you called or e-mailed your Valentine lately? Have you seen a doctor during this especially nasty flu season? If you’ve been involved in any of these activities or a myriad of other activities where you imparted some of your most sensitive personal data (financial, personal or health information) to a third-party or through a third-party network, then you have put your sensitive personal information at risk. And, it may have been stolen or compromised without your knowledge.
We all make tradeoffs between personal convenience and privacy. And, if you’re like me, you’ll likely continue to do so. But, I want to extend the conversation beyond your personal, sensitive information to the sensitive information entrusted to you or your company.
Greg Wheeler covered the ways OnBase can simplify authentication with your own directory services in a two-part article. Authentication is a vitally important aspect of any sound security framework. It is a vital component to ensuring sensitive systems and the sensitive data within those systems are available only to those who are authorized to access them.
Good authentication can be sufficient in systems which are closed or shut off from the rest of the world. However, during the course of everyday business we access and use systems which rely on interconnectivity and the exchange of information. The Internet and wide area networks built to connect our extended offices are much like our interstate highway systems. Stolen vehicles travel down the thousands of miles of interstate highways just as well as the family minivan. Try to use a roadblock to catch the stolen vehicle and the car thief gets smart and bypasses the interstate system and begins taking secondary roads.
Good authentication, network firewalls and encrypted data connections decrease the likelihood of casual data leakage and loss for data in transit. However, once data is in motion and traversing networks, it will likely stay in motion.
Controlling access to and protecting data has been a well understood problem for as long as secrets have been around. The Kama Sutra recommended using cryptography to communicate with your loved one. If it was a good practice to secure sensitive thoughts about one’s romantic life over 2400 years ago (the Kama Sutra was written around 400 BC) when communication was all in the physical form, then we must take more vigilant action now to secure the bits and bytes of today’s communications.
If Target Corporation would have taken the advice of the Kama Sutra and encrypted credit card numbers once they were read, the largest data breach in retail history wouldn’t have happened. Even the alleged malware used by the hackers who stole the credit card information provided an option to encrypt the stolen credit card information.
Target’s data breach and the leaking of sensitive information by Edward Snowden had at least two things in common. Both were enabled directly or indirectly by a trusted connection to a private network. And, both could have been largely prevented with proper use of encryption.
One of our founding fathers, Benjamin Franklin, once said, “Distrust and caution are the parents of security.” All strong security frameworks should operate with a slight level of distrust of each individual and system which has access to your organization’s sensitive data. When you presume your sensitive information is safe if it can only be accessed by authenticated individuals, you only need to look at Edward Snowden to see the flaw in that approach.
Exercising caution in the design of your system means assuming some of the people and systems who access your data may have ulterior motives. Caution requires protecting the data at rest, so even if it is removed from your control, it is unreadable and meaningless. This is the purpose and value of encrypting data at rest.
Sensitive information in OnBase typically exists as keyword or metadata values (such as Social Security Numbers, Credit Card Numbers, etc.) stored in the OnBase database or as documents containing sensitive information (such as contracts, receipts, agreements, health records, etc.) stored in the OnBase Diskgroups. Diskgroups refer to the locations on your SAN, NAS, network drives, etc. that OnBase uses to store files.
OnBase provides solutions for encrypting sensitive information stored as Keywords or in the OnBase Disk Groups. Both options are a key component of compliance with the Payment Card Industry (PCI) Data Security Standard and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations.
In addition to encrypting data stored in the database tables, the Encrypted Alpha Keywords tool can also mask values even for users with authorized access. The Encrypted Diskgroups offering from Hyland, ensures OnBase documents can only be decrypted and read when using the OnBase system that created and stored the original document. This ensures access to sensitive data is controlled using settings configured and managed within OnBase.
As our world continually becomes more and more data driven, it is not possible, nor practical to completely block access to sensitive information. For this reason, organizations must secure data to ensure access is tightly controlled to just the data necessary to complete a particular task. Smart use of encryption technology enables organizations to restrict access to large amounts of data while not impacting productivity. Any organization using OnBase to store sensitive information should explore the available encryption options.
Feel free to reach out to me with your OnBase security concerns or questions.