Data, data, whos got the data Paul Groll Deputy Information Officer Department of Information Techno

1
Data, data, whos got the data?Paul
GrollDeputy Information OfficerDepartment of
Information TechnologyState of MichiganMay
2003
2
Behind the scenes

• The Uniting and Strengthening America by
  Providing Appropriate Tools Required to Intercept
  and Obstruct Terrorism Act (USA PATRIOT ACT)
  
• New rules for search warrants
• Federal jurisdiction
• Gag orders
• Business records

3
USA PATRIOT

• applies to library circulation records, internet
  activity, and business records
  
• many concepts analogous to phone taps
• collision between the demands of the law and the
  ethics of privacy
  
• much of the battleground is in the technical
  arena
  
• best strategy know this in advance, and prepare
  with well-reasoned policies

4
Todays Itinerary

• Which data are we talking about?
• - (limited time, scope not a political
  discussion)
  
• Some background, definitions
• Records and non-records
• Where your data live
• How your data travel
• Cleaning up after your data
• Where to go for more information

5
A needle in a stack of needles

• Primary focus PII
• personally identifiable information
• Officially recognized records
• Record retention
• Information Privacy
• Information Security
• Dealing with all that data

6
PII what is it?

• refers to information that identifies or can be
  used to identify, contact, or locate a specific
  person
  
• direct PII identifies an individual
• name, address, phone numbers, email address, SSN,
  bank account, credit card
  
• linked PII cannot be used directly, but
  provides a link to direct PII
  
• network login ID, IP address, chat handle

7
Non-PII

• IP address (yes, on both lists198.108.0.0 vs.
  198.108.1.42)
  
• gender
• race
• income level, educational level
• age
• job title
• hobbies, interests, etc.

8
Information Privacy

• Provide policies and rules describing various
  levels of use or disclosure of PII
  
• Provide specific rules for internal use, staff
• Provide and publish a policy for external use,
  public, what is shared, what can be shared, and
  how

9
Information Security

• Policies and rules designed to prevent
  unauthorized access to PII, either for use or for
  disclosure (usually, technology)
  
• Concepts of Due Diligence, Due Care
• Security Triad Confidentiality, Integrity,
  Availability
  
• Need to control who can see it, who can change
  it, who can use it, and when

10
PII and Records

• What information is necessary to do business?
• Keep only necessary information
• How do you decide?
• Compelling Legal requirements
• Standard Audit requirements
• Rational operational requirements (mailing lists,
  mandatory patron PII, reader-advisory data, hold
  lists, etc.)

11
PII and Records

• Risk Assessment approach
• Evaluate the potential benefit of keeping the
  data (access to information, statistics, etc.)
  
• Evaluate the potential costs of disclosing the
  data (dollars, embarrassment, political, etc.)
  
• Evaluate the costs of maintaining the records
  with proper privacy and security (due care)
  
• Do the costs outweigh the benefits?
• Develop a policy and stick to it

12
Retention of Records

• Keep them how long?
• Keep them where?
• Keep them available to whom?
• Many logistical issues format, passwords
• Develop a policy for retention
• make sure it covers ALL your record types (tapes,
  logs)
  
• publish it make sure staff know about it
• stick to it routine handling is a key element

13
So, where are all these data?

• Data on the Inside
• Cache files in the OS speed, convenience
• Cookie files webserver and database function
• Cache filesystems in the LAN speed
• System backups - redundancy
• File backups - failsafe
• Sign-up sheets
• Database or website logins

14
Internal data logs ad nauseum

• Pen register analogy (logging outbound)
• typical log files include
• system (common)
• errors (common) ( hardware)
• security (common) ( hardware)
• websites (common)
• history (often) ( hardware)
• email (common)
• remote logs, printed logs, failsafe (rare)

15
External data logs and cache

• Data on the Outside
• Trap and trace analogy logging inbound
• website logs APACHE, IIS
• email logs
• in-line hosts, validators, accelerators
• (e.g., RADIUS, Yahoo)
• hardware in the backbone routers, etc.
• cache servers in the backbone (SQUID)
• mothers
• children

16
Offsite, backups, tapes

• Tapes in offsite storage
• Tapes in transit
• Tapes, any media in recovery
• Security video tapes often overlooked
• Stored where? Transported by whom?
• Available to whom?
• Destroyed, recycled? Do you know?
• How often? Are they used elsewhere?

17
Data in motion the endpoints

• internet monitoring staff, public, separate?
• email monitoring, logging
• pen register concept
• violation logging often automatic, default
• often rule-based, not specific, unintended
• error logging
• often just in case we need it
• no clear or specific purpose in advance

18
Cleaning up purge or keep?

• Purging know the rules, know the data
• cache
• history
• cookies
• website logs errors and access
• configure logs to capture only the information
  necessary to do your business
  
• maintain a written policy - what to purge, when

19
Cleaning up more than bits bytes

• Sign-up sheets
• develop a written policy for retention
• maintain a written schedule for destruction
• stick to the schedule
• make this someones job (dont wonder)
• Login screens, data entry, etc.
• use secured methods (e.g., SSL, etc.)
• address this in your retention policy

20
Cleaning up our internal data

• Automated cleanup purge transient data
• policy configurations in Windows
• 3rd party tools, techniques (HistoryKill, et
  al.)
  
• Refreshing local images complete erasure
• Ghost, ImageCast, TrueImage
• scheduled, automated
• Alternatives to desktops
• Citrix, thin-clients, etc.

21
Cleaning up our internal data

• Gone, but not forgotten?
• theres Deleted, then theres DELETED
• filesystem scrubbers (BCWipe, et al.)
• deleted space, empty space, all space
• Degaussing, complete media erasure
• one huge magnet
• Mil Spec, media destruction
• one big hammer

22
Cleaning up external data

• Limit exposure
• firewalls control what gets out
• SSL encrypt traffic eitherbound
• NAT Network Address Translation
• review ISP policies
• what do they log?
• what to they retain?
• what is their retention policy?
• what is their disclosure policy?

23
Cleaning up moving data

• Use SSL techniques Secure Sockets Layer
• SSL vs. in the clear
• creates an encrypted tunnel through the
  internet, connects the client desktop to the
  webserver (other alternatives exist)
  
• Example login password
• isaac.newton gravityRules
• 9UrT8m25v k31hG8cA5x7

24
Cleaning up moving data

• Do NOT handle transit PII without SSL
• Few other viable public alternatives
• other methods use login ID, password, etc.
• Eavesdropping, sniffing
• violates C in the security CIA triad
• This is a passive attack method does not
  require a break in
  
• Example https//www.mel.org/accessmich/

25
(No Transcript)
26
Mozilla says
27
(No Transcript)
28
(No Transcript)
29
Dealing with meatSpace

• Develop and require specific Non-Disclosure and
  Confidentiality Agreements for any non-employees
  involved with your sensitive data
  
• vendors, contractors, consultants
• temps, volunteers
• tape handler, driver, tape storage facility
• data recovery agents, hot site staff, etc.
• Limit staff to appropriate access, too

30
Vermont Bookseller Bear Pond Books has announced
that they will purge their sales records at the
request of customers . This would effectively
sidestep a typically insidious provision of the
USA PATRIOT Act, which allows government agencies
to secretly seize sales records. "When the CIA
comes and asks what you've read because they're
suspicious of you, we can't tell them because we
don't have it," store co-owner Michael Katzenberg
said. "That's just a basic right, to be able to
read what you want without fear that somebody is
looking over your shoulder to see what you're
reading." - slashdot.org
31
Where to go for more

• The USA PATRIOT Act and Patron Privacy on Library
  Internet Terminals - By Mary Minow -
  http//www.llrx.com/features/usapatriotact.htm
  
• ALA, FBI in Your Library www.ala.org/alaorg/oif
  /fbiinyourlibrary.html
  
• Sample policies, writings on privacy.
  http//www.librarylaw.com/Privacy
  
• State Library Associations Resolutions
  http//www.ala.org/Content/NavigationMenu/Our_Asso
  ciation/Offices/Intellectual_Freedom3/IF_Groups_an
  d_Committees/State_IFC_Chairs/State_IFC_in_Action/
  USA_Patriot_Act_Resolutions.htm

32
Quick Summary Sheet

• Retain only the data you actually need and use
• Limit the amount, type, and volume of PII you
  retain
  
• Develop publish a written retention policy to
  address this
  
• Learn where the hidden data reside in your
  desktops, servers, networks, and other systems
  
• Learn how to purge unwanted data to comply with
  your retention policy
  
• Use permanent deletion tools to delete
  permanently
  
• Use SSL to protect sensitive traffic from
  eavesdroppers
  
• Make data maintenance a routine part of someones
  job

33
Follow-up?
Call or email, any time. I welcome your questions
comments. (some of my pii) PAUL GROLL - M
S CCSE CISSPDepartment of Information
Technology State of Michigan GROLL_at_Michigan.Gov
517-373-9578