Sunday, November 9, 2008

Security, from a different angle?

When people talk about security and technology today, we usually assume they mean controlling who can see information. There are people who are entrusted with access to that information, and then there are people who are not. The type of information varies-- it could be financial, medical, academic, but the overall point is that access to the information should be restricted.

All that is true, but it leaves out a piece.

Suppose you and eleven other people all have access to the same information. Any one of you can read or change that data at any time. One day, you log in and find a subset of the information has been reverted back to a point six months ago in time. You don't know which of the eleven other people who had access made the change, you don't know why they made it or even if the change was intentional or (more likely) accidental.

All you know is that you didn't do it, and it happened further back in time than your backup plan will allow you to restore.

The sad truth is that there are some threats to data security "inside" your organization. It might be an incompetent server admin who accidentally overwrites your files with old data during a backup/restore operation. It might be a malicious co-worker who is pissed off because they got passed up for a promotion and they want to make someone else on the team look bad. It might even be a scenario beyond our collective ability to imagine (i.e. the technology visionary in your office decided it was time to do some spring cleaning in their home folder on the network-- except they were in the wrong folder.)

There's a myth about security-- that you can build a bullet-proof solution and nothing bad will ever happen to your information. The question we should be asking is not "What will we do IF something happens to our data?" It should be "What will we do WHEN something happens to our data?"

Timely awareness is key to an effective response. You wouldn't wait til tomorrow to treat a gunshot wound. You shouldn't wait 24 hours to deal with a situation involving the corruption of your data. You need to be made aware of changes on an almost daily basis. In some cases, this is as easy as turning on auditing processes in your server's operating system.

In some cases, like a shared FTP directory on a remote web server, it becomes harder. But harder doesn't make it any less necessary. I'm working on a solution, involving WebDrive and WinDiff, that will let me get a recursive list of all the files and folders on our web server on a daily basis, dump them into a text file, and then compare it with the list from the previous day so I can see the deltas. I'm sure there are probably better tools out there for the task-- ones that lend themselves to more scripting and automation, for example, but for the time being, I need to get this up and running with the tools I have rather than waste days trying to learn new tools and figure out how to get them working.

If this works the way I believe it will, I'll be able to see what files have been deleted, added or modified in the previous 24 hours. If I start seeing a spike in activity ("hmm, that's weird, someone deleted 300+ files yesterday . . . ") I can start investigating it right away, rather than finding out about it too late.

1 comment:

Jonah Chanticleer said...

Just ran my first test with the WebDrive/WinDiff combo process-- and got more results than I bargained for. The amount of raw data is overwhelming, but by toggling three or four options in WinDiff I can see any file that's been deleted, added or modified in the past 24 hours.

In some ways, it's too "Big Brother" for my personal comfort. But when someone is overwriting current files with old ones, and the responsible party refuses to own up to it, I don't see that I have many options left.