About Me
Evan Schuman
Founder and Editor-in-Chief
StorefrontBacktalk.com
Evan Schuman is founder and editor-in-chief ...
Feeds & Podcasts
Enterprise Blogs
- Cloud Security (10)
- Critical Infrastructure Protection (10)
- CSO / Risk Management (64)
- Data Center (9)
- Data Protection (63)
- Embedded (7)
- Management (6)
- Mobile (29)
- NAC (2)
- Network Security (37)
- Public Sector (26)
- Risk Compliance (63)
- SaaS (2)
- Security Connected (107)
- Security Perspectives (7)
- SMB (3)
- Support (6)
- System Endpoint (22)
- Virtualization (5)
Meet the Bloggers
- Adam Wosotowsky
- Andrew Berkuta
- Barry McPherson
- Brian Contos
- Brian Foster
- Brian Kenyon
- Callie Skokos
- Carrie Ellis
- Charles Ross
- Chintan Shah
- Dan Olds
- Dan Wolff
- David Hatchell
- Dr. Phyllis Schneck
- DThakkar
- Ed Metcalf
- Ed White
- Editor
- Elan Winkler
- Eric Andre
- Eric Schou
- Evan Schuman
- Evelyn de Souza
- Francois Paget
- Gary Davis
- Geok Meng Ong
- George Kurtz
- Greg Brown
- Jan Volzke
- Jim Walter
- Jimmy Shah
- John Dasher
- Joseph Blankenship
- Josh Archambault
- Kayvon Sadeghi
- Kent Landfield
- Kevin Reardon
- Kim Singletary
- Larry Ponemon
- Leon Erlanger
- Lianne Caetano
- Lillian Wai
- Marc Olesen
- Mark Campbell
- Martin Ward
- Matt Fairbanks
- Melissa Siems
- Michelle Dennedy
- Mike Carpenter
- Mike Gallagher
- Nikfar Khaleeli
- Oliver Devane
- PageOne Pr
- Pamela Warren
- Raj Samani
- Rees Johnson
- Rishi Bhargava
- Robert Welty
- Ryan Permeh
- Scott Chasin
- Simon Hunt
- Stephen Karkula
- Steven Fox
- Stuart McClure
- Swapnil Pathak
- Swaroop Sayeram
- Tim Fulkerson
- Tim Roddy
- Tom Conway
- Tom Gann
- Tony Zirnoon
- Tyler Carter
- Vijay Upadhyaya
- William Beltane
Archive
- February 2012 (18)
- January 2012 (47)
- 2011 (482)
- 2010 (431)
- 2009 (395)
- 2008 (294)
- 2007 (416)
- 2006 (169)
Tags
#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity
The Best Way To Protect Some Data Is To Kill It
|
|
Traditionally, IT leaders have seen a key part of their roles as protecting corporate data, whether that’s from thieves or the accidental erasure of crucial files. But a role that is focused on much less is the strategic need to protect a company’s intellectual assets by destroying data. Making data go away—and stay away—is becoming especially difficult today.
Let’s take the first part. How difficult is it today to erase a file? I mean really erase it. Among the twists is Windows Shadow Copy, which quietly makes backup files, which are extremely difficult to delete. Add on top of that mobile devices, thumb drives and working from home and it’s startling how quickly a simple delete becomes impossible. This is true whether the deletion is for an honorable reason—such as removing sensitive personnel-related data when a laptop is transferred from one employee (or a departing employee) to a new employee—to less honorable issues such as deleting information before it can be subpoenaed or sought in legal discovery.
One sensitive document created on a company desktop machine may, in a matter of minutes, be unintentionally copied in 10 locations: an employee’s desktop; the LAN server that backs it up; a PDA; the carrier/vendor server that synchs the PDA data; a memory stick; the home computer the employee used that memory stick in; the personal external backup drive connected to that employee’s computer; an offsite backup service the employee uses; the shadow copy on that employee’s work desktop machine; and the shadow copy on that employee’s home desktop machine.
And if that employee happened to E-mail that file to colleagues, clients or anyone else, the number of copies of that file may mushroom by the number of people who were cc’ed and all of the places on their devices were it might be stored, plus various E-mail servers and the servers on the ISPs for the entity sending it and the entities receiving it. And their backup systems. Speaking of backup. Yesterday’s full system backup complicates this even further.
As a philosopher might say, the only safe way to delete a file is to have never recorded it. As silly as that may sound from a data security perspective, it shouldn’t be dismissed.
Consider this scenario: A chain notices a PDA app that uses geolocation to match consumers with local happy hours. (For those outside the U.S., it’s a time when bars tend to heavily discount alcoholic beverages.) It throws the app onto its mobile site as a service for a customers and thinks nothing of it.
As a matter of policy, the chain decides that it will not use any of that information for marketing or anything else. Fair enough. But what if local law enforcement chooses to subpoena those records so that it can know who frequents happy hours a lot. And if it can tap into realtime data, police could try and catch them in the act. And maybe some civil attorneys try to subpoena the documents as well for some automobile accident cases.
In this scenario, let’s say the retailer aggressively fought all of these efforts, but ultimately lost. The consumers are furious at that retailer, as that’s the trusted brand that they see as having betrayed them. It doesn’t matter that the balance prohibited it, nor that no employees helped and it’s also irrelevant that the chain spent barrels of cash to oppose it. The data was collected by the chain, preserved by the chain and then taken from the chain.
Bottom line: Once data is saved to a file, you may never be able to get rid and you certainly could lose control of it. (Truth be told, you never really had control of it, but I’d rather not be that harsh.)
This is as applicable to geolocation data as it is to driver’s licenses shown to support an age-restricted purchase or to allow a receipt-less return. It’s especially relevant for payment card data. If the retailer never saves it, it can’t be stolen from them.
Evan Schuman is a guest blogger on the McAfee Security Insights blog. Evan is the founder and Editor-in-Chief of StorefrontBacktalk.com, a global site that tracks retail IT and E-Commerce issues for readers. He also writes the weekly Retail Realities column for CBSNews.com. More on Evan can be read on his author page.
|
|
Tags: Data Protection, PCI, Risk and Compliance
Submit your own comments / message for this post