The news that the Information Commissioner’s Office has fined public sector organisations over £2m in the last 18 months has shown how basic lessons on information security are not being learned. A perimeter-based approach to security based around firewalls and defensive controls around the IT network is no longer sufficient. Organisations need to rethink their approach to information security and take care to classify and protect data itself according to the sensitivity of that information.
‘End-to-end information security’ is a useful catch-all term to describe a strong security posture. However, the public sector needs to consider the status of different types of data in order to take the steps to adequately protect that data. Data can be categorised in three ways for this purpose:
From a security standpoint ‘Data at Rest’, the inactive data physically stored in databases, spreadsheets, data warehouses and mobile devices is vulnerable. It is imperative that public sector organisations protect sensitive data against brute force attacks with strong encryption for when authentication methods like usernames and passwords fail.
‘Data in Transit’, is data transferred between two nodes in a network. In virtually all cases, the network cannot be trusted and the data must be protected with network encryption, supplemented by SSL certificates, Internet Protocol Security (IPSec) and other precautions where relevant. Finally there is ‘data in use’, data being used in an in-memory state. Sensitive data should be protected by application encryption and exposed on a need to know basis, encrypted as soon as possible and decrypted only when necessary. This selective approach can only be performed at the application level.
By classifying data rather than systems for different levels of protection, public sector organisations can protect themselves from the indignity and criticisms of security breaches, as well as the associated data breach financial penalties. The threats to data theft, both internal and external and by either human error or malicious intent are costly and dangerous. Government has a duty to protect this information and the Public Services Network is a major step to fulfilling this duty.
Ross Parsell, Government and commercial account director at Thales UK