Tag Archives: Agilent Technologies Inc.

About 1846 days ago Data Security

Avoid Security Pitfalls with Subcontractors

our beautiful site

You’re a not-so-big company, and you simply must outsource some sensitive tasks — perhaps payroll or the 401(k) plan. But news headlines about laptops carelessly unencrypted by subcontractors and then stolen are everywhere. How can you protect your company from the errant security breaches of a subcontractor? In March 2008, Santa Clara, Calif.-based Agilent Technologies became the latest victim of this scenario — a subcontractor hired to handle the company’s employee stock plan left the information on an unencrypted laptop. The laptop was later stolen. In Agilent’s case, Agilent had a clearly stated policy that all such data must be encrypted, and that subcontractors must do it, too. But the subcontractor did not honor this policy, according to Amy Flores, an Agilent spokeswoman. While some risk always exists, experts say, you need to make sure the service-level agreement (SLA) you have with your subcontractor is as airtight and specific as possible, and that you constantly keep tabs on whether they are complying. They offer the following advice: Call your lawyer. “Knowing your exposure is specific to your industry,” notes Scott Almas, associate attorney with the Albany, N.Y.-based law firm Lemery Greisler. Almas, who has drafted many an SLA and litigated ones that have gone awry, says that your company lawyer should know what’s needed in terms of data protection to comply with such federal laws as the Sarbanes-Oxley Act and the Health Insurance Portability and Accounting Act (HIPAA). Spell it out. Explain the purpose of the application you are requesting that the subcontractor use and why. “Take the time to explain it — which data is private, what needs to be encrypted, the rules of who has access,” says Jack Danahy, founder and CTO of Ounce Labs, a Waltham, Mass.-based software risk management firm. Require specific protections. Insist on fingerprint sensors on all laptops the subcontractor uses, WPA encryption on their wireless systems, secure networks and careful protections on all remote access, says Almas. Look into NAC. Network access control (NAC) programs can allow you to scan any computer, PDA, or thumbdrive and keep tabs on any remote worker, subcontractor or not, notes Paul Roberts, senior analyst for enterprise security at the 451 Group, a technical analysis form in Boston. “If it’s not okay, you can quarantine the computer until the subcontractor cleans up their act.” NAC tools, offered by Cisco, Mirage Networks, Nevis Networks and others, are expressly designed to address the unique security breach issues raised by laptops and other mobile devices. But some note that the technology remains very new — and perhaps too pricey for the smaller business. A less expensive option is a hosted option, such as those offered by AT&T and other ISPs, says Roberts. Encrypt first. “Encrypting the laptop is one approach, but encrypting the data before ever transmitting it is the better approach,” says Ounce’s Danahy. Reviewing the source code to make sure that the subcontractors’ systems are in order is another approach that Ounce offers its enterprise customers, Danahy says. Include enforcement — and consequences. Reserve the right to enforce the agreement and check up on workers, says Ounce’s Danahy. “Put something in like, if we discover you’ve done this, you’ll be fined 5 percent per month, or we won’t pay you,” he says. Adds Almas: “They need to agree to indemnify and defend you against any losses.” Include destruction policy. When the project is over, make sure you’ve spelled out to the subcontractor how you’d like the sensitive information wiped or destroyed, says Almas. Otherwise, that laptop or PDA could be discarded someday with all that sensitive data still on it. If it’s your company that’s the subcontractor, showing a willingness to take security steps can help you seal the deal, notes Ounce’s Danahy. “Small contractors who ask the right questions and tell their potential client how they’ll encrypt the data, that can be a real differentiator for bigger companies,” he says. SIDEBAR: What to Do if Disaster Strikes Let’s say the worst has happened: your company’s sensitive data has been breached, despite your diligence. What can you do to contain your risk? The first step is to notify your clients or employees — those whose data is at risk — of the breach. Under California’s SB 1386 breach notification law, companies that tell their employees or clients of the breach as soon as possible, and can show that they did everything possible to protect sensitive data, are given a safe harbor. Experts say it’s also wise to offer employees or customers a credit-monitoring service for a time to help them track any possible identity theft. Agilent’s Flores reports offering this service to their employees. Even outside California, companies that don’t inform their customers/employees right away do so at risk. In March 2008, two separate lawsuits were brought against the New England-based Hannaford Bros. grocery chain for failing to notify customers until late March of a credit-card security breach that occurred Feb. 27, according to published reports. A breach can happen to anyone, but companies that show they did what they could will fare better — in the public eye, and in the courts.

About 1876 days ago Data Security

10 Steps to Database Security

our beautiful site

March 1, 2008: a laptop containing unsecured confidential data is stolen from an employee’s car, endangering the privacy and financial well-being of thousands of people — and a company’s reputation.  Feel like you’ve read this before? Once only the stuff of nightmares, this unfortunate scenario has become almost commonplace. In this latest instance, the laptop belonged to an employee of San Jose, Calif.-based Stock & Option Solutions (SOS), a stock-plan manager and subcontractor to Agilent Technologies Inc., of Santa Clara, Calif., a life-sciences and measurement firm. The laptop contained a database listing the names, addresses, and Social Security numbers of 51,000 Agilent employees, retirees, and stakeholders, as well as information about their stock holdings. Despite a strict Agilent database-encryption policy, which covered SOS as well, the laptop version was unencrypted, confirms Agilent spokeswoman Amy Flores. “They blew it,” she says simply. Cautionary tale about databases This latest case should serve as yet another cautionary tale. Data such as Social Security or credit card numbers are not only crucial to a business, they are worth their weight in gold to those in the identity theft racket. Moreover, compliance with regulatory mandates, such as Sarbanes-Oxley requirements, requires companies, and their contractors, to keep an airtight lock on relevant data if they want to win and maintain lucrative business deals. And yet, database administrators (DBAs) probably only spend 7 percent of their time tending to database security, estimates Noel Yuhanna, principal analyst for database security at Cambridge, Mass.-based Forrester Research. If anything, DBAs spend more time trying to increase internal access to a company’s database, so that it can be used optimally by the accounting or sales staff. And for small businesses, where the DBA could have countless other duties, too, the problem might be greater. Sometimes insiders at fault Which brings us to another tough statistic — a January 2007 Forrester Research report estimated that 70 percent of all database breaches involve insiders. Even those employees who administer the database need to be viewed as potential risks to its safety. Awareness of the scope of this problem is growing, however. A separate Forrester study found in October 2007 that enterprise spending on database security and auditing is likely to double by 2010 to nearly $900 million annually. What should a small or mid-sized business do to protect its database? Here are some tips from the experts: What’s Your Risk?  “If your database is on the Internet, you have to protect it from hackers. Even if not, you have to protect it from insiders. And then you need to consider the laptops, thumbdrives, anything else that can include the data,” says Sushil Jajodia, professor of information technology and director of secure information systems at George Mason University, in Fairfax, Va. Figure out the scope of your risk first. Conduct a Vulnerability Assessment. Tools are out there that can help you check how well your existing systems work to protect your database. Products such as Imperva’s Scuba, an open-source assessment tool, can point out flaws in existing programs. How Many Databases Exactly? Make sure you track down any and all copies of your company’s databases that might be floating around. There may be more copies than you think, so make sure they are all found and eventually protected. Develop a Clear Policy…and Stick to It.  “Insiders need to know what they can and cannot do” with critical information, and how it should be stored, says Jajodia. “They need to understand the policy and know what will happen if it’s violated. Usually, that’s enough and people will do the right thing.” Insiders can include not only employees, but third-party contractors, too. Go Shopping for New Tools. DBAs should seek out the newest database security releases instead of relying on what’s on their systems now, says Forrester’s Yuhanna. For example, the latest offerings from Oracle, IBM, SQLServer, and Guardium offer far more advanced features. Guardium’s appliance, for example, features continuous tracking of all database activity, including failed logins, and includes an email alert service that can let others know of any suspicious activity. Make Sure the Tools Get Used. Make sure any software is properly installed. If encryption software for laptops is purchased, make sure it’s installed on every laptop in the office. In a recent case involving a laptop theft from a National Institutes of Health (NIH) employee, the laptop was not encrypted despite the existence of a U.S.-government-wide encryption policy, notes Jajodia. Control Access. Only certain employees should have access to the office database, and those employees who need only parts of the database to do their work should only have access to those parts. Products such as Applimation’s Informia subsetting solution or EMC’s Database Xtender can ensure that the sales force, for instance, only sees the specific data they need and nothing more. Don’t Give DBAs Sole Responsibility. Remember that most database breaches happen from the inside, so make sure someone is checking up on the DBA, too, notes GMU’s Jojodia. “This is the typical weakness, where a separation of duties isn’t followed,” he says. “There have to be checks and balances,” Newer product offerings can help by ensuring that even DBAs cannot make changes without notice. Handle Old Data with Care. Develop a solid strategy for storing databases that have outlived their usefulness, or old equipment containing such data. Remember that even old data can be misused if in the wrong hands. To store sensitive data, consider off-site archiving options with limited access, says Yuhanna. Should You Dump it Instead?  Legal experts note that keeping certain old data could add to your company’s risk in the event of an e-discovery case. If you decide to dump the data, wiping software, which overwrites your hard drive with unreadable gobbledygook, is one option: consider such products as WipeMaSSter or Active@KillDisk. Other options include degaussing (frying with an electrical impulse to render it unreadable) or destroying a hard drive outright. To be sure, protecting your company’s database is a challenging, time-consuming task. And, as Agilent’s Flores warns, the proverbial chain is only as strong as its weakest link. But nonetheless, making your best effort could help inoculate your company from all kinds of unforeseen dangers.

About 3489 days ago Computer Security

What’s Next: Data Disasters

When it comes to the Internet, nothing is ever really forgotten and everything leaves a trail. This can be good or bad for business, depending on where you stand in relation to the law. These data trails can be used to find who has been stealing your trade secrets–or to bust you if you are the thief. They can show who is working and who is goofing off. They can tell you a heck of a lot about who your online customers are, allowing you to make better decisions and more money. This information is extraordinarily valuable, and there are laws that require companies to produce it, and do it right now. But it hasn’t been easy to do until a San Francisco start-up called Addamark Technologies figured it out. In the pre-Enron, pre-WorldCom, pre-Tyco, pre-you-name-the-crooked-company days, the legal rules for retaining communication records said only that a company had to be consistent. You couldn’t, for example, keep all e-mails except those having to do with a hostile takeover or a case under litigation. If it was your company’s policy to erase all old e-mails once a year or once a month, that was okay, as long as the policy was in writing and was strictly followed. Enron, for example, wiped clean its e-mail slate every 72 hours, which is hardly a surprise. Today the rules have changed. Public and many private companies have to keep a copy of written communication of every type (letters, e-mails, even Internet instant messages) for up to seven years. You have to keep the copies in a form that allows their authenticity to be verified, whatever that means. Not only that, but you must keep a second copy of every message in a different location in case of fire or natural disaster. The second copies must be on nonerasable storage media, such as optical disks. And if the SEC asks you to provide a copy of any given document or every given document you have until close of business today to do it. Almost no company can do this. If you are a health care organization, an insurance company, or even a human resources department, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires as of this year that if a client asks you for a list of every person or organization with whom you have shared his or her medical records you have to provide that list…on the spot. Almost no organization can do this. And if you aren’t a public company, don’t engage in health care, or have no human resources department, you still aren’t off the hook, because these are becoming the accepted standards for all companies. If you still dump e-mail every 72 hours and end up in court, you are effectively guilty as charged. Penalties for noncompliance right now are mild, but they are sure to get stronger in the future, right up to sending people to jail. The new SEC regulations, for example, hold the CEO personally responsible for record retention, meaning he or she, not some nerd in the computer room, will be doing time. Then there are the civil penalties that will come from the inevitable lawsuits. It is possible that every customer of a hospital or clinic could walk into small claims court tomorrow and walk out with $1,000 or more because the paper trail of who got their records couldn’t be produced or was incomplete. Every hospital and clinic in America is vulnerable, for they are all in violation. And while HIPAA doesn’t specifically provide for private legal actions, neither does it prohibit them if other laws are being violated too. So we’re in a whole lot of legal trouble and most companies don’t have the technology to comply with laws already on the books, much less the even stricter ones likely to follow. It could have been argued that these legal requirements are unreasonable, but then along came Addamark. And then there is data theft. Electronic documents are stolen all the time, and it usually isn’t through some high-tech cracking scheme but an inside job. The bad guy is often a disgruntled employee, or someone who appears to be an employee but is really a competitor using an employee’s login name and password obtained through a process called “social engineering.” “This is Mitch in IT; we’re working on the network and need your login and password to check something out.” Only Mitch is calling from your top competitor. This really happens. There is an evidence trail of all this in your phone system and on your servers, if only it could be found. The problem here isn’t generating the information, which is done automatically by every e-mail, database, or Web server application. The problem isn’t storage, because data storage is cheap and always getting cheaper. The problem is finding what you need–a problem that until recently looked insurmountable. Log data, which is what we are talking about, is huge. Just the e-mail system for a large company can generate terabytes of log data per day (that’s one thousand billion bytes) concerning who said what to whom and what path the message followed. That’s for one day. The new SEC regulations say a company has to hold those records for approximately 2,000 days, and most companies are deciding just to keep them forever. Finding what you want in this pile of data would seem to be an easy problem for computers to solve, given that they are so good at fetching and carrying. Servers generate log files indicating what happened to every file or message, log files go into a huge database, and you run queries against this database, right? Unfortunately these log files are bigger than any database ever. They are bigger than database designers ever expected files to be. They are almost too big to even function in a database application. That’s because when data is inserted into an Oracle or IBM DB2 database application, the data gets bigger. It grows by about 30% as metadata (data describing the data) is added. The result is a pile of data petabytes in size (one thousand terabytes). That’s not too much data to store but it’s too much data to search. It could take days, weeks, months to find what you need. Until very recently the only searchable logging databases of such size I had heard of were at Amazon.com, eBay, and Google–each developed privately over a period of years and costing, in the case of Amazon at least, hundreds of millions of dollars. Amazon.com says it has so far spent more than $900 million on computer technology for its business and continues to invest at a rate of $200 million per year, a lot of it going to massaging log data. Faced with spending $200 million to avoid a $25,000 fine from the SEC, most companies would pay the fine–except for that little part about the CEO going to jail. It could have been argued that these legal requirements are unreasonable, even unenforceable. But then along came Addamark Technologies, which changed everything. Addamark makes the storage and searching of petabyte logging databases not simple but easy, and easy is what counts. What couldn’t be done at all can now be done in seconds and for around 1% of what Amazon.com paid for the same capability. Addamark began as an idea in the mind of Adam Sah, who was at that time head techie at Internet Pictures, or iPix, which owns the servers that hold all those pictures of goods for sale on eBay and throws them onto your screen. With an average of 16 million items for sale each day on eBay, most of them having one or more pictures, that’s a lot of images. It is also a lot of surfing, since iPix had to transmit those pictures over and over again as required by 50 million potential bidders. Because iPix was paid every time a picture was transmitted, its log files were essentially its billing system and Sah wanted to find a way to generate a detailed bill every day. Rather than just throw the log data into Oracle or DB2, Sah thought about log data and how it is different from other kinds of database entries. It doesn’t change, for one thing, since logs are entirely retrospective and are supposed to tell the truth. Sah found that you can strip log data down to its barest form, then compress it at least 10-to-1 (something you can’t do in a regular database), then actually search the compressed data for what you need. The result is a new type of specialized database that can be of almost limitless size yet can be searched in seconds. Addamark can be filled with any kind of log data from any logging application, and if you want to see every e-mail that mentions Microsoft or which times and by whom a confidential document was transmitted, Addamark produces the goods almost instantly. All this and it runs not on mainframes or even big servers but on clusters of commodity PCs. Expanding your Addamark system can mean a trip to BestBuy. Addamark is shipping today, to customers that include Agilent Technology, Blue Cross-Blue Shield of North Dakota, Lehman Brothers, and Yahoo. In a high-tech depression this is a company that turned away venture capitalists. It is a 30-person firm at which 12 of those 30 are former CEOs or founders. Addamark, with its patented technology, could be the next Oracle. Remember the name; you might need it. Robert X. Cringely is a writer, broadcaster, and entrepreneur specializing in technology. Contact him at cringely@inc.com.