|
IT Workers at Front Line in Privacy War
Published: October 17, 2006
by Robert Gast
These days, you might as well scrawl your name and social security number onto a king size bed sheet and hang it from a highway overpass. At least that's how it seems. While there are many new laws designed to crack down on identity theft, many IT departments around the world continue to put this sensitive data at risk, proving the adage that old habits die hard. Luckily, there are tools available to make good data stewardship a bit easier for OS/400 programmers.
Your social security number and other sensitive bits of personal information are in hundreds of databases around the world and anyone who has the will and wits to get at it, probably can. Since there are millions of identities to pick from, luck is likely to be your only firewall.
Lots of organizations are having trouble keeping a lid on the identity box lately: Ford Motor Company, Boeing, FedEx, and Honeywell are just a few. An organization that tracks such events is Privacy Rights Clearinghouse. They maintain an up-to-date listing of databases breaches at http://www.privacyrights.org/ar/ChronDataBreaches.htm. The organization claims the total number of records containing sensitive personal information involved in security breaches exceeds 93 million.
At best, for the consumer, having your personal information nicked means getting six months of free access to the Equifax, Experian, and TransUnion credit reporting services, along with a form apology letter from the negligent party. In the worst instances, your reputation gets shattered.
For the organization that has its name attached to the problem, it's a public relations catastrophe, according to PR expert, Eric Seymore of Bridgeman Communications in Boston. "Good will can be lost and it may take years to rebuild consumer trust," he says.
This year, when the Berks County Sheriff's Office hired Canon Technology Solutions of Conshohocken, Pennsylvania, to develop an intranet accessible database of registered gun permit holders, it expected good results. Unfortunately, due to an oversight, on September 5, the names of more than 25,000 permit applicants became accessible from browsers connected to the Web. Each record included a name, birth date, social security number, psychiatric history, and other confidential information. Canon Technology Solutions of Conshohocken covered the cost of mailing the apology letter, including $9,700 for postage.
Increasingly, consumers are taking action against the way corporations collect and store personal data. A recent flurry of new privacy legislation aimed at protecting personal information is being drafted to go along with existing laws, like the Data Protection Act, HIPAA, and Gramm-Leach Bliley in the United States and PIPEDA in Canada.
While it's not clear why sensitive data reached the Internet in the Berks County case, using special test data sets that contain names, social security numbers, and birth dates that in no way reflect the identity of real people is a good practice. Unfortunately, production data is often used because it's readily available and it works well. In fact, a recent report by UK IT researcher Vanson Bourne found that 40 percent of IT departments are using live data for testing and training purposes.
Organizations that use IBM's System i servers can prevent their test data from getting into the wrong hands by utilizing software from U.K.-based The Original Software Group. OSG, which specializes in developing automated testing solutions for System i, Windows, and Web-based systems, advocates the use of systems that extract key data sets and then scramble the contents, leaving field lengths and referential integrity in tact.
"Short of using our product to do this, developers can write their own routines, but one way or another, data used for testing purposes should never have a relationship to a real individual," says Colin Armitage, CEO of OSG. "Homegrown routines will not have the same flexibility and reporting capabilities as our solution, but still, it's far better than using live data for testing."
OSG's tools, called Extractor for iSeries and Extractor Compliance Edition, offer several different options to convert live data into test data sets. The simplest option is vertical scrambling. This method randomly substitutes the field contents of one record for another. In many cases, blending data in this fashion offers ample protection.
The second method is referred to as synchronized scrambling. Instead of just randomly jumbling the contents of fields across a given set of records, it allows users to change the value based on user definable range limits. In instances where the data are names, random alpha characters are generated.
The third option lets users create their own programs and introduce them into the scrambling process through a user exit hook. This option is useful in instances where, for example, you need to generate data that looks like credit card account numbers. Credit card numbers usually have a check digit that is used to verify the validity of the number. This check digit needs to be present in testing data sets.
OSG's solutions maintain referential integrity throughout the scrambling process. If, for example, a customer master file has a relationship with an order header file and that relationship is the customer order number, then Extractor for iSeries will detect that relationship and change the data in all related files so that it is consistent. For those who plan to set out and write their own scrambling routines, referential integrity is very difficult to accomplish.
Finally, a data extraction facility that's included in these tools can be used to keep unauthorized parties from ever seeing live data when it's extracted from production files. This facility allows authorized system managers to set limits on which files can be accessed. Users only see the contents of the data sets that are manipulated by one of the scrambling techniques.
Robert Gast writes for The Original Software Group, a developer of software quality solutions for i5/OS, Windows, and Web-based systems. Gast has written millions of words on business relevant technology and has lectured on these subjects at Roosevelt University in Chicago, Illinois. He is the managing partner of Evant Group and can be reached at bobgast@evantgroup.com.
|
