The Virtue of Paranoia
For the past three-and-a-half years, Kode Vicious has
guided many a befuddled programmer toward clarity
and understanding. We hope you value his truths
from the trenches, and will continue reading the column and sending him your queries as Queue transitions
from print to digital. As our digital subscribers already
know, e-mailing him will be as simple as clicking on
firstname.lastname@example.org. He hopes to hear from you soon.
I just joined a company that massages large amounts of
data into an internal format for its own applications to
work on. Although the data is backed up regularly, I have
noticed that access to this data, which has accumulated
to be several petabytes in size, is not particularly well
secured. There is no encryption, and although the data
is not easily reachable from the Internet, everyone at the
company has direct access to the volumes, both physically and electronically, all the time. Our data center
is not particularly well protected either, with just two
locked office doors between the outside world and the
I have tried to convince my management that we
need to do more to protect the data, but they argue that
once the data is massaged into an internal format, it’s not
really of use to anyone else; and that as long as we have
backups, and therefore would not suffer an interruption
should a theft occur, we are adequately secured. How do I
get them to see the value of the data that we have and to
do more to protect it?
Petabytes of Paranoia
If it’s any consolation to you, and I know that people
write to KV looking to be consoled, you are not alone in
k email@example.com—if you dare! And if your letter
a ppears in print, he may even send you a Queue coffee
m ug, if he”s in the mood. And oh yeah, we edit letters for
c ontent, style, and for your own good!
A koder with
MISS MANNERS HE AIN”T.
your plight. Many people
undervalue their data,
believing that it can be of
little use to anyone else.
Although more people are
coming to understand the risk of leaking databases of
personal information, such as credit cards and medical
records, many other types of data remain unprotected.
Another way to think about the value of data is to ask,
“How much damage could be done to me, or my company, should another party get this data?” The competitive advantage that a company has based on its data is, in
most cases, the best way to value that data.
Is the data worth more as it ages? Or is it worth less? If
data is worth less with age, then the best way to protect
it, if the law does not require that it be kept, is to throw
it away. No, I do not mean dragging it all to the little
trash can or recycle bin on your desktop; I mean securely
disposing of the data. Some companies will destroy your
disks for you, if you’re feeling particularly paranoid. In
most cases, however, using a secure erase command, such
as rm -P on FreeBSD, is sufficient. Again, it’s all about how
much that data is worth should it be found by others.
One other way of scaring your bosses into securing
the data is to perform a simple search for recent cases of
physical data theft. Many companies have been targeted
and successfully attacked in this way, including ones that
stored their data in secure data centers. Armed robberies
of data do happen.
I would like to say that it’s hard to imagine people not
understanding the value of their data in this day and age,
but unfortunately it is all too easy to imagine. Perhaps
what your bosses lack isn’t knowledge but imagination.
My group has been maintaining an old CMS (content
management system) for several years, and we think it’s
time for an upgrade. The system is used by a bunch of
text monkeys to manage the pages on our Web site. Since
we’re a Web company, this is a pretty important system.
The code was written in-house, but the original team has