Another Delay, Another Black Eye for Security

16.02.2009
This week, I ran into unexpected trouble. A project is ready to go live, but it never received a security review. And it has a lot of the elements that would go into a worst-case scenario: a third party, sensitive data, the Internet and no plans for encryption.

We've done a good job of getting security reviews into all phases of our project cycle, including the concept stage. That means we've been able to avoid most last-minute security roadblocks. So, how did this one fall through the cracks?

Maybe because it's a third-party application that's accessed over the Internet via software on end-user systems. People tend to think of that sort of implementation as a hands-off situation. Of course, most people don't think like a security manager.

When I look at what's planned with this implementation, I see data -- in fact, employee payroll information -- being sent to a third party. I see a looming nightmare, since the company that hosts the financial application in question seems to have no understanding of, or ability to provide, encryption.

As soon as I heard about this (secondhand), I asked for a meeting with the project manager. I couldn't believe what I was hearing. Employee names, Social Security numbers and pay amounts were going to be transmitted over the Internet, with no encryption.

I told the project manager that we'd need a minimum of file-level encryption, preferably at the point where the data is created (in this case, in ). And I added that it should not be decrypted until it is used, ideally within the third-party application itself. I'm willing to compromise on exactly where the data is encrypted within our perimeter, but once it gets out to the Internet, it needs to be protected, in an unreadable form.