Defense in Depth for Compliance

Oct. 27, 2008
One-stop compliance products are often too good to be true. Instead, use layered security to achieve your regulatory goals.

Some in the business community say they are being plagued by regulations that are hurting their businesses. I recently attended a legal conference for in-house counsel of a Fortune 200 company, where I learned that this company had to spend $6 million a year to comply with Sarbanes-Oxley regulations, which are designed to enforce ethical corporate governance. Other regulations such as Gramm-Leach-Bliley, which is designed to protect financial records, and the Health Insurance Portability and Accountability Act (HIPAA), which includes sections designed to protect health care records, have had a significant impact on many businesses. But for many individuals, these regulations were too long in coming.

Ask former Enron employees or stockholders of companies that failed due to executive greed whether Sarbanes-Oxley is a good idea, and they will say, “It’s about time!” And quite frankly, it seems nearly ridiculous that companies have to be told to protect healthcare and financial information. Many in the security industry already felt this was their responsibility. Whether you feel regulations are an imposition or a godsend, they are here to stay and must be addressed.

Set It and Forget It?

Many companies are looking for a quick compliance fix, something they can simply “set and forget.” And many vendors are happy to feed this need.
When HIPAA was first enacted, many products were sold as “ensuring HIPAA compliance,” which was sometimes amusing (or frightening) when it was applied to products that had no security function whatsoever. These types of products preyed on decision makers’ general lack of understanding of security concepts.

As all those in the security profession know, there is never a one-size-fits-all security solution. Protecting any asset requires a layered approach, something referred to as defense in depth. Companies that want to successfully comply with these regulations are looking across the board at all security implementations, and many are either beefing up what they already have in place or adding another layer of protection to their security processes.

Know Your Employees
One of the first layers of defense is the pre-employment background check. Darren Dupriest, president of Validity Screening Solutions, has said that while there has been some increase in background checks due to regulatory issues, the industry has not seen a giant spike in requests. However, he added, he is seeing more companies conducting background checks on prospective board members than in the past. He also mentioned that current clients are ordering more comprehensive checks on prospective employees.

Listen to Your Employees
Many companies are implementing another well-known security tool, the anonymous employee tip line or hotline, to help identify both security and governance issues. Tip lines provide employees an opportunity to confidentially report security issues and violations of policies and procedures.
Many vendors of telephone reporting products have added anonymous online reporting mechanisms to these solutions to take advantage of the ubiquity of the Internet. These types of products became a requirement with the adoption of Section 301 of Sarbanes-Oxley, which requires that companies establish procedures for receiving and treating complaints and anonymous employee concerns.

Many hotline vendors simply modified their current service offerings to address the regulations. An Internet search on “ethics hotlines” will reveal a wide variety of vendors and solutions. One of the oldest vendors, The Network, offers an ethics hotline; Allegiance offers the cleverly named SilentWhistle product, and EthicsPoint has a comprehensive suite of products.

Records Lifecycle Management
Unstructured content has acted as a major roadblock in many an organization’s journey toward compliance. Unstructured content—essentially a collection of electronic records created, stored and transmitted without any control mechanisms in place—has historically been the norm in data management, but it allows employees and others to disseminate confidential information with the click of a mouse. This type of environment makes it extremely difficult to maintain compliance with any regulatory or legal mandates.

Before the most recent regulations surfaced, organizations focused on restricting access to proprietary and confidential information. The new paradigm requires companies to go a step further by restricting what employees can do with the data once they have access to it. In addition, companies must be able to successfully log employees’ actions regarding proprietary information. To meet these goals, organizations should implement records lifecycle management—controlling and auditing data from its creation, through its distribution and finally to its destruction or archiving. Oracle has developed several products that address these issues, including Oracle Records Database and Oracle Content Database. Oracle Records Database is a robust product that can integrate with PeopleSoft, Siebel and SAP.

Enterprise Rights Management
Enterprise rights management (ERM), part of the records lifecycle management process, entails protecting digital content no matter where it resides—on a server, on an executive’s laptop, or on systems belonging to business partners and clients. Essentially, any rights assigned to a document are persistent. In contrast, file rights management only impacts data when it is stored. Once the data is removed from the managed system, all rights assignments are meaningless.

I addressed the use of ERM tools to prevent theft of trade secrets in my article, “Keeping Your Secrets Secret” (Security Technology & Design, August 2006). These tools are also excellent for regulatory compliance. Vendors include Liquid Machines, Authentica, AirZip and SealedMedia (which was recently purchased by Stellent).
One vendor of ERM solutions, Informative Graphics, offers an excellent stand-alone utility that allows for “instant document publishing for secure document sharing.” This utility, Net-it Now “… is a free print driver that renders your files to CSF (content secure format), a compressed encrypted format that allows you to add Visual Rights™, including password protection, an expiration date, and feature restrictions, to your files (settings). Files are viewable with the free Brava! Reader (views TIFF, PDF and CSF files).” In addition, it lets you add banners and watermarks, which can help protect against inappropriate distribution of printed documents.

I downloaded and installed the software, and it works extremely well. I even tested the encryption capabilities of the product by viewing a converted file in a hex editor, WinHex. The contents were indeed encrypted. The viewer also includes an interesting feature. Some people may try to copy protected information by taking a screen shot of the document while it is displayed on the monitor. The Brava! Reader automatically covers the document with an image whenever the “Prnt Scrn” button is pressed. (However, it is possible to capture the document using screen capture tools that allow you to manually capture a selected region of the screen, such as TechSmith’s SnagIt! and Wisdom Software’s ScreenHunter).

Enterprise rights management tools are not widely adopted yet, but they will be as more businesses begin to understand their value. In a June 30 article on Network Computing, “Analysis: Enterprise Rights Management,” Trent Henry describes the advantages of ERM from a compliance perspective: “There are countless other use cases, many focused around satisfying various regulatory compliance requirements. For example, HIPAA patient information can be protected from disclosure no matter where the records travel. Gramm-Leach-Bliley Act compliant audit data can show exactly who has used what documents in an organization. And Sarbanes-Oxley requirements for financial records accuracy and accountability are aided by an ERM system that lets only authorized staff modify records.” The complete article can be found at

The Trouble with Encryption
Encryption, which involves scrambling data using complex mathematical algorithms, is another good method of limiting access to proprietary data. But while encryption is a great tool, using it in an enterprise can be problematic.

Terms like public key, private key, SHA, Blowfish and Triple DES are either meaningless or confusing to most users. Because of this, any encryption implementation that requires employees to make decisions regarding encryption will be doomed to failure. An encryption program needs to be completely seamless and transparent to the user. Products like PGP Universal use a central administration server to manage encryption through the enterprise and can be set so that files and e-mail messages are automatically encrypted without user intervention.

When you evaluate encryption solutions, analyze exactly what should be encrypted. I had a meeting recently with the IT Security department of a large bank. They informed me that they were protecting sensitive information by encrypting various folders on their employees’ computers, and they had no concerns regarding the loss of proprietary information. When I pointed out to them that while the files may be encrypted, the residual data created in the background—such as temporary files, spooler files and the pagefile—were not encrypted and were easily recoverable, they panicked. It is important to remember that products like Microsoft Word create numerous temporary files in the background, and many of them contain the same content as the original files. If the entire hard drive is not encrypted, then this type of material may be recovered.

While temporary file recovery may not be an issue for internal systems, it could be an issue for laptop computers. For mobile users, whole disk encryption is the best solution. When a laptop user tries to boot up the system, he or she is prompted for a password or passphrase. If the password is correct, the system boots up normally, and all data is automatically decrypted and available to the user.

A popular disk encryption tool, TrueCrypt, is a good tool to experiment with to gain a better understanding of disk encryption concepts. It’s not, however, an enterprise solution. One of the advantages of using a robust enterprise encryption solution is the ability to recover data from a disk should a user forget his or her password or passphrase—an ability not offered by non-enterprise solutions like TrueCrypt.

While encryption is good for protecting data, it does not control how data is used once it is decrypted. The best solution for protecting data and ensuring regulatory compliance is an enterprise rights management solution that uses transparent encryption. As more reports of lost or stolen data hit the press and additional regulations are enacted, businesses will have no choice but to integrate these tools into their business processes.

John Mallery is a managing consultant for BKD, LLP, one of the ten largest accounting firms in the United States. He works in the Forensics and Dispute Consulting unit and specializes in computer forensics. He is also a co-author of Hardening Network Security, which was recently published by McGraw-Hill. He can be reached at [email protected].