leyton.org

Breaking news about a horrific breach of process that has led to 25 million records going astray between the Revenue and Customs, and the National Audit Office. Clearly somebody in the organisation screwed up horrifically, and is probably nursing a P45 and watching our most senior politicians defend themselves with a very very bad sinking feeling.

Clearly a flaw with individual judgement, and organisation process and management, but also with regards what it says about the IT systems in place at these public organisations.

Firstly that they enable data to be written to removable media AT ALL in such a trivial fashion (ie. without people having had it beaten in to them how it’s done). Disabling devices should be standard practice in places dealing with sensitive personal data: Removable USB drives/pens are easily secreted in to and out of organisations, it’s reasonably easy – as well as sensible – to disable the USB interfaces on corporate systems. Similarly, writeable removable media (DVD/CD drives) shouldn’t be installed at all, and access to the media itself controlled. E-mail can be monitored and restrictions placed on likely content. Even basic attachment size restrictions, even before content checking/policy systems that can easily be use to catch simple/accidental screw ups by foolish staff.

More fundamentally, and dealing with the ‘lost laptop’ issue that has popped up occasionally, why is sensitive data being pulled off of restricted/fixed systems? Remote desktop systems (Citrix and the like) easily enable remote workers access to sensitive data in appropriate ways, but don’t expose laptops unnecessarily. There are also heavy encryption products that can protect entire accounts, and with a strong password policy and secure id systems, protect data from such loss.

But data needs to be exchanged at times. So this is where they have processes that are normally used ensure these issues are covered. However, in this rogue case it was mentioned that the disks were “password protected”. This is not an assurance: It’s important to emphasise that password protected is very distinct and different from encrypted. They are NOT the same thing. Thankfully the BBC appears to have picked up this, although Jane Kennedy MP (Financial secretary to the Treasury, and presumably one of the chancellors minions offered up to the baying media), seems dangerously keen to brush over this vital difference.

In itself, password protection is no assurance at all. Exchange of data in many organisations is frequently (in my sad experience) unencrypted: There’s a huge lack of understanding of the basics of protecting data, and people frequently don’t realise that a simple password on a file does not protect data at all from a determined individual with access to the file. But heavy duty encryption does. Look at PGP/GPG type technologies that enable data to be encrypted such that only a designated recipient can view it.

Finally there was Darlings atrocious defence of the Conservative well placed charge that it undermines the Governments entire ID Card policy. To that, Darling said the national Identity Register was “protected by biometrics”, he said, and “therefore more secure”. I’m afraid I find that derisory in the extreme. Back-end data is not going to be protected by such from internal staff.

It is all extremely concerning, and I’m beginning to wonder (perhaps a little affected by the BBC coverage vernacular that seems to be building to a hyperbole crescendo) whether this, along with Northern Rock, could build into a resigning matter and threaten public confidence in this government.

This entry was posted on Tuesday, November 20th, 2007 at 4:20 pm and is filed under Id Cards, Politics, Rants, Technology, UK. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.