There is an enormous amount of administrative data that is being collected in audits each day at large companies across the world. And administrators have the power to steal PCI and other profitable data and cover up their tracks. But, this is more difficult at companies that implement a strict separation of duties for administrators.
Generally, only large companies with significant financial risks implement separation of duties well. What can be done to help world-wide, mid-sized corporations prevent tampering of audit data from applications and their supporting infrastructure?
Many small and mid-sized firms cannot afford an appropriate separation of duties between administrators. These businesses haven't deployed extensive SIEM (Security Information and Event Management) technology. I've seen ArcSight, a SIEM product, deployed at a national retailer. They had an extensive amount of connectors that need to be made to properly collect all security-related data from various IT systems. The SIEM hierarchy is a security fault tree. It is complex and is hard to configure well. So some companies are deploying 'Big Data' techniques to analyze logging data.
It is becoming common place to log all administrative functions related to applications and on all data center infrastructure equipment that supports those applications. This includes successful and failed logins, changes to account privileges, attempts to perform authorizations, application administration and configuration changes. Imagine firewalls, load balancers, virtual machines, network bandwidth allocation, database servers, storage subsystems, and LDAP servers all saving log data. Unauthorized and untracked changes can cripple a datacenter leading to a loss of tens of thousands to millions of dollars; leading to theft of credit card numbers causing customer losses; and damaging the corporations reputation tying to future business loss.
WORM (Write Once Read Many) technology exists on CDs today. If a person wants to permanently protect images or data they can write to a CD WORM. What about disk drives? The potential administrative problems SMB have cry out for WORM disk drives. Due to the lack of technology and process oversight it is much easier for administrators in these SMB to take advantage of retail PCI data or healthcare HIPAA data. WORM drives would keep log data protected so that some corrupt administrator cannot erase the evidence he/she creates in doing illegal activities.
Another market for WORM drives is that related to the e-discovery field. E-discoveries begin when a lawsuit occurs against a corporation. The data investigation firm collects multiple terabytes of data from company as evidence which is then sifted through to determine what data is relevant to the lawsuit. This is also a "Big Data" problem; sifting through email, pictures, and other documents to find the appropriate data is a chore. The use of WORM drives is obvious. Copy all of the data handed over to the data investigation firm onto WORM drives and one can be assured that nothing is changed after that point.
How would WORM drives be presented to various applications? Logging intelligent and e-discovery WORM aware applications would use WORM drives based in a SAN and/or NAS configurations from companies like EMC, Dell, and/or HP. Why use a WORM drive when some auditing applications already protect some of the audit data at rest? It is always better to enforce something in hardware (as long as it is inexpensive) than software because when the software is not running the audit data can be tampered with. No amount of administrative effort can change the contents on a WORM drive, except via physical destruction of the drive.
Protecting data with WORM drives makes sense. Small and medium-sized businesses cannot afford the technology and easily enforce a separation of duties that makes WORM drives unnecessary. Like encrypted drives, WORM drives enforce their strengths at the lowest hardware level, the drive. WORM drives serve the logging, e-discovery and other "Big Data" markets. Deploying WORM drives in EMC, Dell, HP or similar storage subsystems will require applications that are WORM-aware. Those applications know that the drives are write-once and they don't attempt another write on the same drive location. WORM drives permanently protect administrative data that is never to be altered again.
Gregory Machler is an information security architect and cloud security expert and a frequent contributor to CSOonline