Computerworld - In my last column , I discussed how I was called upon to do a fiscal-impact analysis of a privacy bill that was going before our state legislature. The bill is expected to pass soon and become law. And when that happens, state agencies like the one I work in, as well as private businesses, will be held accountable for any disclosures of individuals' personal information.
Despite my conclusion that complying with this law would require several hundred thousand dollars for just my agency, we and other state agencies might not receive any additional funds to comply with the mandate. So how do I go about protecting all the personal information that resides in our databases and servers and traverses our network?
No single hardware device or software application will be adequate. My best option is to use open-source tools and existing hardware to configure and install an intrusion-detection system. The IDS will let us monitor network intrusions and attacks and investigate the possibility of data such as Social Security numbers leaving or traversing our network in plain text. At least it's a start.
Do-It-Herself
In all my previous, private-sector jobs, I managed the people who configured and installed such systems. Although I have analyzed the data from these systems, correlated the information with output from other sources, given direction to staff and approved plans related to the placement of network taps, network monitoring appliances, firewalls, VPN concentrators and other security devices, I have never built such a device with my bare hands and put it into production. I am unaware of anyone within the state system who has walked down this path before. But that could be a case of the right hand not knowing what the left hand is doing; state agencies are fairly autonomous, and while efforts are under way to improve collaboration and the pooling of talent in the security arena, there doesn't appear to be a strategic plan. So people like me just muddle along, trying to do the right thing.
I'm a bit hesitant. Can I do this? To master the software I have selected -- Red Hat Inc.'s Fedora Core 3, Snort, MySQL and BASE, as well as Apache, SSL and PHP -- I will have to rely on my little-used *nix (Unix and Linux) skills, as well as white papers and how-to articles written by those much more experienced than me in the nuts and bolts of all this. I can also consult newsgroups and call on many friends and colleagues. And
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
