Do you leave your keys behind the doorframe? Tips for building a digital safe

They've got all the information they need from their friend, Johan Isaksson, who knows about the security precautions at the bank. Planning has been done and it is time to do the crime.

Nils extends his hand behind the door frame where the key to the front door is stored. They both quickly enter. Once inside, Lars the blacksmith begins his work. He manages to open the door to the safe.

The next morning, the staff finds the bank safe open. In it are only a few coins and a note with a taunting poem. The burglars get away with 850,000 riksdalers, about 4-8 million Euro in today's monetary value, making the robbery one of the largest in Sweden’s history. Some say that it is surpassed first by the Great Train Robbery in England 1963

The authorities in Linköping are perplexed. They ask for help from the neighbouring police district’s (Norrköping) own Sherlock Holmes, Police Commissioner H.M Larsson. Larsson visits Linköping's taverns and pubs disguised as an ox trader. He finds clues which lead to the arrest of the criminals. The loot was, for the most part, found, buried in a kitchen garden not far away.

While entertaining and historically true, the above story has important lessons for us working with protecting digital data. As key learnings, I would list the following:

• Be careful how you handle user information and digital keys (do not hide them above the door frame)
• Be sure to have detective controls in place (the bank was missing alarm functionality so the burglars could work undisturbed for an extended period)
• Make sure you have a strong digital safe that requires time and effort to crack. (A blacksmith's tools should not be enough.)

A look at physical and digital security

Physical security often consists of a protective shell, an alarm zone and a safe. This concept translates quite well into our world of digital security.

Comparing physical and digital security, you could say that Next-Generation Firewalls, email protection and strong endpoint protection etc. correspond to the shell protection (walls, doors and external locks) in the physical world. But, since competent criminals can get inside the shell, we need a place in the IT environment where security is at an even higher level – the digital safe.

It is more cost-effective to secure a small amount of the most valuable data/assets than to secure all data/assets in the organization.

What is a digital safe?

Today, almost all data is digital. Most organizations have data that needs to be protected to prevent damage or financial loss. It may be financial data, data relating to the security of the nation, personal data, or trade secrets.

When we collect this sensitive data and place it in one specific place in the IT-environment, restrict access and take necessary security precautions to secure it – thus you have a digital safe. 

If you are a rare case, an organization which has only public data, then you do not need a digital safe. However, you still need to protect your infrastructure so that you are not exposed to sabotage.

To build a digital safe, the important thing is to not think only about technology; routines and policies need to be in place as well. The following list can be used as a checklist for first steps when building your digital safe.

• Controlled and restricted network access to the infrastructure of the safe.
• Detective controls that provide visibility to discover any unauthorized attempts.
• Routines/scripts in place stopping unauthorized persons from getting in.
• A proxy or jump point that prevents direct contact by the safe with possibly infected computers.
• Restricted access, so only employees with an absolute need can access the safe
• Insurance that the keys to the safe are safe, ie. not found in other infrastructure, eg. identities and other forms of digital keys
• Checks that the keys to the safehold an appropriate level of security for what you want to protect
• Insurance that the safe itself is protected with a stronger technology than the one you use in the shell protection. (Ex. encryption, whitelisting, hardening and IAM technology)
• Verification that those who serve the infrastructure can in no way access the secure information
• Verification that the protection works and is active (ex. penetration tests and vulnerability scanning)
• Logging of access and alarms; that someone/something controls the logging and routines are in place if the logging stops working.
• Insurance that the logs have a retention time, matching your compliance demands.
• Checks that backups are done, and that backup data will not become a security risk.
• Verification that the infrastructure in the digital safe is protected from unauthorized physical access and external environment threats, for example, fire.

Do you have a need for a digital safe? TietoEVRY can help with pre-packaged digital safes, adapted to different forms of data where the cost is adjusted to what you need to protect.

PS. We also have a SOC (Security Operations Center) with highly skilled security analysts. One of them is called Larsson just like the police commissioner in history, but he is not from Norrköping.

Further reading:

Develop Cyber Resilient Systems (NIST.SP.800-160v2)
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-160v2.pdf
Guide to Application Whitelisting (NIST.SP.800-167)
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-167.pdf
ICSA Guide to Cryptography by Randell K.Nichols
Digital Identity Guidelines (NIST.SP.800-63)
https://pages.nist.gov/800-63-3/