Employing technical controls in information security systems
Michael Irene is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via moshoke@yahoo.com; twitter: @moshoke
In last week’s article, I covered physical and environmental control. This week, as promised, I would cover some technical controls that companies can employ in their journey to gain a robust and secure information system.
Technical controls are security controls computer system executes to provide some levels of automated protection against unauthorised access or misuse of data. It facilitates detection of security violations, and more importantly, supports security requirements and provides some level of data protection.
Imagine you’re a chief information officer or a chief technology officer in Company Z, and you want one of your staffs to access a particular encrypted document. Still, you don’t want to go through the rigours of decrypting the file.
Or, you are a chief privacy officer, your data retention controls stipulate that unused data from a customer enquiry process, should be deleted after thirty days. What sort of technical tool would you employ to meet these policy requirements?
These scenarios call for specific technical controls.
In the first scenario, you would want to consider what is called homomorphic encryption, a sophisticated encryption technology which sets out to solve many security concerns. In the above case, the staff can carry out work without necessarily decrypting the data. Thanks to Craig Genery, the IBM researcher, who introduced the homomorphic encryption scheme to bring another viable and secure means to access encrypted data sets.
Another area where homomorphic encryption would work is in the healthcare industry where sensitive personal information flows around. As a healthcare provider, you can share encrypted information with a third-party supplier without them necessarily accessing information that you don’t want them to access. The third-party company can perform queries on your data with homomorphic encryption without gaining access to other data sets.
Data masking is another technical control that companies can use in securing data. Another name for data masking is data obfuscation. Data masking is a process used to hide data. Real data is obscured by random characters so that it can’t be accessed, which is another form to cover classified data points from company staffs that don’t have permission to view data. The main function of masking data is to protect sensitive information and more importantly, to implement role-based access control. If an admin staff in a health care company shouldn’t see certain information while carrying out her duties, then masking those particular data sets becomes fundamental.
Next to masking is tokenisation. You’re about to send money to your colleague, but you need your token device to get some unique identifiers on a token. Without this, you can’t make that transfer. Well, companies can replicate these procedures in other business functions. For example, suppose your staff wants to transfer documents to another branch. In that case, tokenisation can assist in ensuring that information is only transferred with a unique identifier. The unique identifier retains all the pertinent information about the data without compromising its security. A tokenisation system links the original data to a token but does not provide any way to decipher the token and reveal the original data. Tokenisation is in contrast to encryption systems, which allow data to be deciphered using a secret key.
In the case where data should be deleted securely, company XYZ can use degaussing. Degaussing is the process of reducing or eliminating an unwanted magnetic field stored in computer hard drives or USBs. When exposed to the magnetic field of a degausser, the data on the hard disk is erased. This method is the guaranteed form to erase data from hard drives, and it’s an industry-standard form of data destruction. Data protection stipulates that companies should delete data securely and safely, and degaussing helps companies achieve this.
Paying attention to these technical controls can help companies ensure that they shore up their security procedures and ensure that they continue to maintain a robust information security system.