Top Ten Data Threats and How to Guard Against Them: Weak Audit Trails
Here at Futurex, we know a thing or two about data security. Most importantly, we understand that critical data is at the heart of any organization and protecting these assets from being compromised is essential. 2016 will bring new data threats to companies and businesses, and Futurex wants to help protect the health of your organization. Over the coming months we will present our own list of Top Ten Data Threats across the Globe and will offer solutions for organizations looking to bolster their data security infrastructure.
“In God we trust. All others bring data.” William Edwards Deming, American engineer, statistician, and professor, speaks right to the heart of auditors with his witty statement. Audits constitute a portion of every business, every organization, and every industry. Audit trails help protect the secure, safe, flow of data. By consequence, a weak audit trail cause huge threats to organizations.
As Deming insinuates, audit trails exist partially to encourage individual accountability while in sensitive environments. Anonymity makes people brave (in a way organizations do not want). If something were to be stolen or compromised, detailed audit trails provide the who/what/when/where/how to catch the culprit. Audit trails also function as a type of technical control. System audits can help identify system performance issues. Application audit trails can find flaws in applications. Administrators can monitor device health and resources. Basically, audits and audit trails keep system vitals in check and make sure nothing fishy is going on. Specific industries have additional audit requirements.
The following are major audit requirements and laws by industry:
- PCI-DSS—Payment Card Industry Data Security Standard—Retail Industry - Any organization which processes payment cards, of any type, must track and monitor all access to network resources and cardholder data, through logging mechanisms.
- HIPAA—Healthcare Information Portability and Accountability Act—Healthcare Industry - Organizations in the healthcare industry must backup and retain patient records for an extended period of time, and must monitor access to patient records. Also Section §164.308(a)(1)(ii)(D) of HIPAA states that they must “implement procedures to regularly review records of information system activity, such as audit logs, access reports and security incident tracking reports”.*
- Sarbanes-Oxley Act of 2002—Financial Industry - This act holds publicly held companies and accounting firms to strict standards in regards to data storage, access, and retrieval. Corporations become responsible for financial reports and it requires management assessment of internal controls (such as logging and auditing of: network activity, database activity, login activity, user activity, and information access).
- UK Data Protection Act of 1998—Consumer Privacy - In order to protect personal data, ensure its accuracy, and safeguard against unlawful processing, the United Kingdom requires “appropriate technical and organizational measures [to be] taken against accidental loss or destruction of, or damage to, personal data.”* Audits and logs are the measures they are referencing.
With so many laws in requirements in place to audit system access and technical environments, why is there still uncertainty? Why can law enforcement not immediately the villain in instances of breached data? Why are phrases such as “x number of people may have been compromised, x information might have been breached” still common today? The answer, in part, is weak audit trails.
Organizations with multiple HSMs, who own large data centers, or have data centers dispersed throughout the world may find it difficult to establish an audit routine that meets compliance requirements, is granular, and is easily accessible. Our developers and engineers think like you. Are audits necessary? Yes. Are they fun? No. Can we engineer devices which make this routine more efficient and secure? Absolutely, yes!
The Futurex Guardian9000 fulfills compliance requirements from one central location. Firmware updates and log audits, two items which typically take days to perform at organizations with multiple cryptographic devices spread across multiple data centers, can be performed from one centrally-located device. Authenticated system logs for all connected devices are stored in a central repository, meaning that you immediately know who accessed which device, as soon as they access it. To meet HIPAA requirements, hospitals and other healthcare practitioners can utilize the SAS9000- a secure, high-volume data storage HSM. It provides detailed audit records and the ability to generate customized reports. It easily manages internal and external audits while maintaining complete, authenticated audit log files of all activity and access. Also, there is integrated replication and mirroring capabilities to ensure that automatic backups may be kept within the device, with user-definable parameters for additional functionality. Data and logging, as such, can be done in FIPS 140-2 Level 3-compliant technology.
For questions or advice about strengthening your audit trail, contact a Futurex Solutions Architect—and stay tuned for our next installment of Top Ten Data Threats across the Globe.