Computerworld -
This week, I ran into unexpected trouble. A project is ready to go live, but it never received a security review. And it has a lot of the elements that would go into a worst-case scenario: a third party, sensitive data, the Internet and no plans for encryption.
We've done a good job of getting security reviews into all phases of our project cycle, including the concept stage. That means we've been able to avoid most last-minute security roadblocks. So, how did this one fall through the cracks?
Maybe because it's a third-party application that's accessed over the Internet via software on end-user systems. People tend to think of that sort of implementation as a hands-off situation. Of course, most people don't think like a security manager.
When I look at what's planned with this implementation, I see data -- in fact, employee payroll information -- being sent to a third party. I see a looming nightmare, since the company that hosts the financial application in question seems to have no understanding of, or ability to provide, encryption.
As soon as I heard about this (secondhand), I asked for a meeting with the project manager. I couldn't believe what I was hearing. Employee names, Social Security numbers and pay amounts were going to be transmitted over the Internet, with no encryption.
I told the project manager that we'd need a minimum of file-level encryption, preferably at the point where the data is created (in this case, in PeopleSoft). And I added that it should not be decrypted until it is used, ideally within the third-party application itself. I'm willing to compromise on exactly where the data is encrypted within our perimeter, but once it gets out to the Internet, it needs to be protected, in an unreadable form.
I wasn't saying anything new. Last year, we forced file encryption on many projects that involved third parties handling our sensitive information. In fact, this same project manager was involved in one of those earlier projects, so he knows all about this. I'm disappointed that so little of my message got through the first time, but at least I don't have to spend a lot of time educating him this time around.
It's too late for this project, though. The contract has already been signed, and the implementation is ready to go live. After I got involved, we had a couple of discussions with the vendor, which seems to have no idea how to use encryption software.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
