The Scary Realities About Your Web Data

Wednesday, September 08, 2010

Lori Homsher

28a74b8d7de3373b4bed858fc10b6bf5 seen by the company at the end of the line.

I'm head of IT for an order fulfillment company. I also teach information security and handle IS projects for a couple of organizations, so I relate to both the IT (just get it done!) and the IS (but keep it secure!) perspectives.  

In the order fulfillment industry, our primary objective is to receive and ship orders. The orders arrive via a myriad of methods including APIs, EDI transactions, and batch files - and they come from many different industries such as pharmaceutical, retail, manufacturing, education, biotech, chemical, and ecommerce.

Order fulfillment is on the receiving end of quite a bit of personal data, and what I find so surprising is that we are often the only line of defense for ensuring the secure handling of this data.

When working through the details of data transfers, the client team is primarily concerned with getting data from point A to point B. Security of the data rarely comes up, unless we mention it ourselves.

Here's one example: Recently, an employee from a large print company (our client) wanted to email us plain-text Excel files containing customer name, address, and credit card data - clearly not a PCI-compliant method of transferring data. Thankfully, we do a good job of awareness training and the person who intercepted the request knew to push back.

At this point, you probably think we are working with mom-and-pop web site companies, so let me point out that over 90% of our clients are Fortune 500 companies.

The issue here is data transfers. From this issue, we can branch off into many security discussions, but the focus of this article is this: Corporations may have security policies in place, but project teams are largely ignoring them.

Since I work mostly with product teams and ad-hoc groups within the larger corporate enterprise, it appears (from my outside perspective) as if these teams are working without security governance. Our client contacts are not technology or security experts. When I propose encrypting the data, they ask "what do you suggest?"  Either these companies have no standards, or the team members are unaware of the standards that exist.

Browser and website security may keep the data secure from customer to ecommerce site, but what happens to the data that is shared with back-end vendors? A website may be PCI compliant, but I know from experience that vendors are often missed in PCI audits.

So, what's the solution? This problem isn't easily rectified, but here is an idea I've seen one of our clients recently implement.

Last week, I attended a client meeting in which a 3rd-party vendor was creating a new website that would ultimately feed orders into our fulfillment system. In this case, it's vendor-to-vendor data transfer - the client never sees the data.  

The meeting included our primary client contacts, as well as a representative from the IT integration group. This IT representative was present simply to ensure we chose the integration approach that best fits the IT strategy of the firm.

In this particular example, the IT representative was not concerned about security (in my opinion, he should have been), but the concept represents what I think is needed - someone on the client team who is concerned about data integrity and confidentiality. 

Bottom line: What I see in my daily interaction with corporate America is a disconnect between the security organization within the company and the project teams. Policies are important, but are we asking too much of our end users by expecting them to remember security issues when mapping out projects involving multiple vendors?

Is it reasonable to expect the head of marketing to think of data security when launching a promotion involving new data feeds? If data sharing policies exist, how can the organization ensure its employees are following them?  Data Loss Prevention (DLP) may help, but is not an easy solution for vendor-to-vendor data sharing.

What is your company doing to control data security across vendors - and  how do you know it is working?


Possibly Related Articles:
PCI Data Loss Prevention
Post Rating I Like this!
Fred Williams A solution could be to implement web services. A web service is just like you explain, instead of human to computer communications, a web service is a computer to computer communication.

In web services, you can have 3 types: RPC, SOAP and REST web services. If you use SOAP, you can use the WS-Security extension provided by OASIS. REST really doesn't have an easy message level type of security extension that is similar to WSS.

But you can use WSS to encrypt your payload or just certain elements of the message (things like SSN, credit card, etc.) That way if anyone intercepts the message along the way, the sensitive data is encrypted.

Send me a note if you have any questions about implementations.
Lori Homsher Great suggestion, Fred! We do provide web services for clients and we've implemented many projects with SOAP. However, we've found that in many cases the other 3rd-party vendors aren't able to accommodate (ie: call centers and small web vendors). Since our clients pick the vendors, we just make recommendations and hope for the best.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.