Title: Data, data, whos got the data Paul Groll Deputy Information Officer Department of Information Techno
1Data, data, whos got the data?Paul
GrollDeputy Information OfficerDepartment of
Information TechnologyState of MichiganMay
2003
2Behind the scenes
- The Uniting and Strengthening America by
Providing Appropriate Tools Required to Intercept
and Obstruct Terrorism Act (USA PATRIOT ACT)
- New rules for search warrants
- Federal jurisdiction
- Gag orders
- Business records
3USA PATRIOT
- applies to library circulation records, internet
activity, and business records
- many concepts analogous to phone taps
- collision between the demands of the law and the
ethics of privacy
- much of the battleground is in the technical
arena
- best strategy know this in advance, and prepare
with well-reasoned policies
4Todays Itinerary
- Which data are we talking about?
- - (limited time, scope not a political
discussion)
- Some background, definitions
- Records and non-records
- Where your data live
- How your data travel
- Cleaning up after your data
- Where to go for more information
5A needle in a stack of needles
- Primary focus PII
- personally identifiable information
- Officially recognized records
- Record retention
- Information Privacy
- Information Security
- Dealing with all that data
6PII what is it?
- refers to information that identifies or can be
used to identify, contact, or locate a specific
person
- direct PII identifies an individual
- name, address, phone numbers, email address, SSN,
bank account, credit card
- linked PII cannot be used directly, but
provides a link to direct PII
- network login ID, IP address, chat handle
7Non-PII
- IP address (yes, on both lists198.108.0.0 vs.
198.108.1.42)
- gender
- race
- income level, educational level
- age
- job title
- hobbies, interests, etc.
8Information Privacy
- Provide policies and rules describing various
levels of use or disclosure of PII
- Provide specific rules for internal use, staff
- Provide and publish a policy for external use,
public, what is shared, what can be shared, and
how
9Information Security
- Policies and rules designed to prevent
unauthorized access to PII, either for use or for
disclosure (usually, technology)
- Concepts of Due Diligence, Due Care
- Security Triad Confidentiality, Integrity,
Availability
- Need to control who can see it, who can change
it, who can use it, and when
10PII and Records
- What information is necessary to do business?
- Keep only necessary information
- How do you decide?
- Compelling Legal requirements
- Standard Audit requirements
- Rational operational requirements (mailing lists,
mandatory patron PII, reader-advisory data, hold
lists, etc.)
11PII and Records
- Risk Assessment approach
- Evaluate the potential benefit of keeping the
data (access to information, statistics, etc.)
- Evaluate the potential costs of disclosing the
data (dollars, embarrassment, political, etc.)
- Evaluate the costs of maintaining the records
with proper privacy and security (due care)
- Do the costs outweigh the benefits?
- Develop a policy and stick to it
12Retention of Records
- Keep them how long?
- Keep them where?
- Keep them available to whom?
- Many logistical issues format, passwords
- Develop a policy for retention
- make sure it covers ALL your record types (tapes,
logs)
- publish it make sure staff know about it
- stick to it routine handling is a key element
13So, where are all these data?
- Data on the Inside
- Cache files in the OS speed, convenience
- Cookie files webserver and database function
- Cache filesystems in the LAN speed
- System backups - redundancy
- File backups - failsafe
- Sign-up sheets
- Database or website logins
14Internal data logs ad nauseum
- Pen register analogy (logging outbound)
- typical log files include
- system (common)
- errors (common) ( hardware)
- security (common) ( hardware)
- websites (common)
- history (often) ( hardware)
- email (common)
- remote logs, printed logs, failsafe (rare)
15External data logs and cache
- Data on the Outside
- Trap and trace analogy logging inbound
- website logs APACHE, IIS
- email logs
- in-line hosts, validators, accelerators
- (e.g., RADIUS, Yahoo)
- hardware in the backbone routers, etc.
- cache servers in the backbone (SQUID)
- mothers
- children
16Offsite, backups, tapes
- Tapes in offsite storage
- Tapes in transit
- Tapes, any media in recovery
- Security video tapes often overlooked
- Stored where? Transported by whom?
- Available to whom?
- Destroyed, recycled? Do you know?
- How often? Are they used elsewhere?
17Data in motion the endpoints
- internet monitoring staff, public, separate?
- email monitoring, logging
- pen register concept
- violation logging often automatic, default
- often rule-based, not specific, unintended
- error logging
- often just in case we need it
- no clear or specific purpose in advance
18Cleaning up purge or keep?
- Purging know the rules, know the data
- cache
- history
- cookies
- website logs errors and access
- configure logs to capture only the information
necessary to do your business
- maintain a written policy - what to purge, when
19Cleaning up more than bits bytes
- Sign-up sheets
- develop a written policy for retention
- maintain a written schedule for destruction
- stick to the schedule
- make this someones job (dont wonder)
- Login screens, data entry, etc.
- use secured methods (e.g., SSL, etc.)
- address this in your retention policy
20Cleaning up our internal data
- Automated cleanup purge transient data
- policy configurations in Windows
- 3rd party tools, techniques (HistoryKill, et
al.)
- Refreshing local images complete erasure
- Ghost, ImageCast, TrueImage
- scheduled, automated
- Alternatives to desktops
- Citrix, thin-clients, etc.
21Cleaning up our internal data
- Gone, but not forgotten?
- theres Deleted, then theres DELETED
- filesystem scrubbers (BCWipe, et al.)
- deleted space, empty space, all space
- Degaussing, complete media erasure
- one huge magnet
- Mil Spec, media destruction
- one big hammer
22Cleaning up external data
- Limit exposure
- firewalls control what gets out
- SSL encrypt traffic eitherbound
- NAT Network Address Translation
- review ISP policies
- what do they log?
- what to they retain?
- what is their retention policy?
- what is their disclosure policy?
23Cleaning up moving data
- Use SSL techniques Secure Sockets Layer
- SSL vs. in the clear
- creates an encrypted tunnel through the
internet, connects the client desktop to the
webserver (other alternatives exist)
- Example login password
- isaac.newton gravityRules
- 9UrT8m25v k31hG8cA5x7
24Cleaning up moving data
- Do NOT handle transit PII without SSL
- Few other viable public alternatives
- other methods use login ID, password, etc.
- Eavesdropping, sniffing
- violates C in the security CIA triad
- This is a passive attack method does not
require a break in
- Example https//www.mel.org/accessmich/
25(No Transcript)
26Mozilla says
27(No Transcript)
28(No Transcript)
29Dealing with meatSpace
- Develop and require specific Non-Disclosure and
Confidentiality Agreements for any non-employees
involved with your sensitive data
- vendors, contractors, consultants
- temps, volunteers
- tape handler, driver, tape storage facility
- data recovery agents, hot site staff, etc.
- Limit staff to appropriate access, too
30Vermont Bookseller Bear Pond Books has announced
that they will purge their sales records at the
request of customers . This would effectively
sidestep a typically insidious provision of the
USA PATRIOT Act, which allows government agencies
to secretly seize sales records. "When the CIA
comes and asks what you've read because they're
suspicious of you, we can't tell them because we
don't have it," store co-owner Michael Katzenberg
said. "That's just a basic right, to be able to
read what you want without fear that somebody is
looking over your shoulder to see what you're
reading." - slashdot.org
31Where to go for more
- The USA PATRIOT Act and Patron Privacy on Library
Internet Terminals - By Mary Minow -
http//www.llrx.com/features/usapatriotact.htm
- ALA, FBI in Your Library www.ala.org/alaorg/oif
/fbiinyourlibrary.html
- Sample policies, writings on privacy.
http//www.librarylaw.com/Privacy
- State Library Associations Resolutions
http//www.ala.org/Content/NavigationMenu/Our_Asso
ciation/Offices/Intellectual_Freedom3/IF_Groups_an
d_Committees/State_IFC_Chairs/State_IFC_in_Action/
USA_Patriot_Act_Resolutions.htm
32Quick Summary Sheet
- Retain only the data you actually need and use
- Limit the amount, type, and volume of PII you
retain
- Develop publish a written retention policy to
address this
- Learn where the hidden data reside in your
desktops, servers, networks, and other systems
- Learn how to purge unwanted data to comply with
your retention policy
- Use permanent deletion tools to delete
permanently
- Use SSL to protect sensitive traffic from
eavesdroppers
- Make data maintenance a routine part of someones
job
33Follow-up?
Call or email, any time. I welcome your questions
comments. (some of my pii) PAUL GROLL - M
S CCSE CISSPDepartment of Information
Technology State of Michigan GROLL_at_Michigan.Gov
517-373-9578