The secure database myth

Last weekend the Sunday Times reported the existence of a database containing details of up to 8m UK children, the content of which will be made available to the police, medical staff and social workers when appropriate.

[Data] would be provided only to those who needed to see it in line with data protection laws,’ said one local authority involved in the project.

Just two days later, the Times reports on a Royal Navy submariner who gathered secret material, including cryptographic software, to pass to a foreign government; presumably, the Royal Navy thought its data was secure.

padlock secure database

Secure? Yes, but only if no-one has the key…

So there we have it: your data is safe with us – until a nosy, disgruntled, politically motivated, password-holding individual susceptible to cash inducement with access to a ‘secure’ system, decides otherwise.

After more than 30 years in and around IT, it seems clear: genuinely secure systems are few and far between; it’s not the IT infrastructure that’s the problem, it’s people.

We’re under pressure or lazy or brain dead, and the next thing you know is that a password gets passed to someone unauthorised (“It’s OK, I’ve known him for years“) or someone copies data to a flash drive to work on it at home.

Rule #1 of computer security is that, given time and opportunity, anything secured by one person can will be unsecured by another.

I can see into the future: a DVD of pupil data will be found on a rubbish dump or a laptop with half a million confidential records will be left on a train, and a government spokeswhatever will trot out the usual inanity that ‘lessons will be learned from this episode‘.

Of course they should be, but they never are; because the individuals in charge of these huge volumes of personal information – so tempting to the criminal, the nosy and the malicious – simply don’t seem to understand that, in the long term, no large data repository can remain totally secure.

It’s the people, stupid.

Update: In today’s Times: “A computer used by Paula Broadwell, whose affair with General David Petraeus led to his resignation as head of CIA, contained substantial confidential information, officials said last night“.

I rest my case.

If you found this entry interesting, you might like to subscribe to this blog using the Subscribe button at the top of this page. A mention on your favourite social media site would be appreciated as well. Thanks!

About nutting

Former law firm project manager based in Jersey, British Channel Islands. Now he isn't project managing, he's shooting clay pigeons with a side-by-side, polishing his collection of kukris or digging his vegetable patch.
This entry was posted in Data security, Technology and tagged , , , , , , , . Bookmark the permalink.

Leave a Reply