“The trouble with quotes on the internet is that it’s difficult to determine whether or not they are genuine” – Abraham Lincoln
I saw this quotation at a recent webinar and it got me thinking about how important digital content is to both my personal life and business life. Major and minor decisions are made routinely based on digital content that we have available to us. Most of us are relatively trusting people but we generally seek some reassurance of the information we use to make decisions. As an IT industry and business veteran of over 33 years I know something about the digital world, however I also decided to consult some experts who re enforced my understanding that for all the benefits of the digital world the educated professional or even gifted amateur can manipulate digital data quite easily. According to IDC, in 2010 over a zettabyte (one trillion GB) of data was created. According to same report only half of all data that should be protected is protected.
As over 95% of data/information originates and/or is communicated in a digital format, the most important characteristic for the user is to trust its provenance.
What do we mean by Digital Data/Content?
Fundamentally it is data and information which is represented in ones and zeroes, for processing electronically. This includes all types of digital content such as emails, Word documents, Digital camera photos, Music and audio files, Web site content, Tweets, Software, Videos and many more. Digital communications covers mobile phones (GSM/3G), Scanned documents including PDF’s, most broadcasts TV, Radio, Internet.
Characteristics of Digital Data
The main characteristics are as follows
• It is binary in nature (ones and zeroes)
• It is intended by design to be manipulated
• It can be changed without leaving a trace:
o Text files
o Microsoft Word and other documents
o Email archives
o PDFs
o Sound recordings
o Images
o Database records
• It can be changed in transit
Where is Digital Data stored?
• Hard Disk files and folders in digital devices such as Servers, PCs, Notebooks, Tablets, on Networks
• Semiconductor (Chips) on PCs, Servers, USB keys, Mobile Phones etc.
• Memory Cards in or attached to PCs and portable devices such as cameras, phones etc.
• Application and email servers, back up servers
• Log files
• In the Cloud
What is the cloud?
Think of the cloud as a set of IT resources that you can access and use which do not reside on your premises or within your IT infrastructure. You and even perhaps your cloud provider may not even know specifically where the data resides, unless you have a specific agreement when you set up a Cloud based service. You may retain control of who has access or direct your Cloud provider to manage your authorized access. For those of you who remember the data Centre, the cloud is analogous to a data Centre. You are probably a user of cloud based services already such as Google mail, Google Apps, Microsoft Office 365 as examples.
How does digital data & content change?
As we now know one of the significant advantages of digital data is the ability to manipulate, process and analyze digital information. Modern day living and business is underpinned by technology that can do this. Think of a visit to the Hospital and the equipment used by the medical profession such as MRI scanners which help in the diagnosis of medical conditions, or Photoshop on your PC which allows you manipulate photos. There are thousands of applications we get positive benefit from through manipulating and changing digital data. However there are some risks:-
Accidental change: – This is where digital data or content is changed by accident and unintentionally but can have serious consequences. Data can be corrupted, that is changed by some unintended action either within our control such as changing something on our PC, or outside our control such as the impact of a software bug or an act of God such as a power surge as examples. Human error happens more frequently and can cause data to be changed, so it is not as it was intended or expected.
Corrections: – We change data/content to correct earlier mistakes or to include new and/or more accurate information.
Malicious/Deliberate: – This is where someone changes data to perhaps hide facts, misrepresent facts and mislead the user of the data/content. Even amateurs can make changes with a little knowledge, however they are likely to leave footprints that an IT professional can identify, however a professional leaves no trace.
So in order to re enforce and build trust in data/content we want to be sure that the data is as intended and that accidental or malicious changes are prevented or, can be detected before the data is used.
What is important is that we know the provenance of the data/content, its source and history, so we trust its integrity and its authenticity.
Malicious changes do happen, for example:
• McAfee case of backdating share options
• Consumer fraud action in Washington State
Some examples where lower trust exists in Digital Data:
Regulators: – Even today some regulators still insist on wet signatures on paper documents even though secure digital signature technology exists. Submissions often must be on paper or fax (Fax digitises!!). Retention of original paper records is mandated for defined periods.
Legal Documents: – There is still a requirement in many areas for paper based contracts, records and other instruments.
Certificates & Diplomas: – Certification is an essential method of ensuring safety, security, capability, competence etc., paper based certificates and diplomas are still required and used.
eDiscovery Law: – Though more advanced there is often a requirement once evidence is found that it be transferred to paper and certified/secured to avoid any spoliation or preservation challenges.
Some examples of Blind Trust
There is a common belief that PDF files cannot be amended or interfered with, this is a myth. It may be slightly more difficult to change but certainly not a huge challenge. We have created a culture of blind trust in certain digital arenas. Also falling into this category would be email archives, scanned documents, reputable web sites, system log files, audit trails. Ultimately we need to have tests or criteria that can be used to validate the provenance and integrity of any content, and the more important the data the more essential it is that it can be trusted completely.
Digital Data as Evidence
We use digital data daily as evidence or information for making decisions and taking actions. Let us consider the three main categories of Digital evidence in business:-
Normal Business Process: – Taking the example of on-line banking, balances and payments, we use digital information to monitor and control our cash management, payments and debtors. Business process audit trails are important to demonstrate conformance to our process, and we might refer to document history in our Document Management System as an example. Microsoft Office based Reports which may have text and numeric’s can be the basis of tactical and strategic decisions. Test Results in our R&D or Production process are the basis for releasing products. Communications such as emails are regularly the basis for taking some action. So day to day we depend on digital data and trust it, to run our business. However we need to periodically challenge key digital data/content that we make important decisions on.
Legal & Litigation: – From a personal and business perspective the importance in the integrity of digital evidence has been highlighted many times now. Like any other form of evidence it has to be found, validated and preserved. A large business has grown up around eDiscovery, which can be a very costly process. eDiscovery must be able to identify locations to search and then filter huge volumes of digital information to identify relevant evidence. It must establish provenance and then secure that evidence so its integrity is maintained for reference in legal proceedings. In business we are governed by many different laws to protect us and ensure confidence in the business environment, we need to consider those processes and related digital content that demonstrate our conformance to laws and processes in case of legal challenge or investigation. Courts, Tribunals, Criminal investigations may all seek and use digital evidence and its credibility is very important. Common areas that we can take better steps to protect our digital content and data cover employment law, contract law, company law, health and safety, IPR & Copyright as examples.
3rd Party: – Government, Regulators, and Auditors all have an interest in how we carry out our business and we are required to provide them with information (evidence) that we have complied with requirements, or just evidence to demonstrate what we have done and how we did it. This evidence may be used by third parties to confirm our compliance internally and externally, creating stakeholder trust in doing business with our organisations. Of course there are more significant regulatory requirements for certain categories of organization where there is higher risk to the public in general these could include Life Sciences (Medical Device, Pharmaceutical, Biotechnology) where health and safety are of concern, FDA & GAMP being well known examples. Financial Services is another heavily regulated sector and we all know now what can happen when the regulatory environment fails, as demonstrated by the recent banking crisis. FRS, IFRS, Basel, and many other national and international regulations. Public Companies are regulated to protect investors and Sarbanes Oxley (Sox) is probably the best known regulatory environment. There are accounting standards (IAS, GAAP), Quality standards (ISO) and many others. In support of business standards we have IT frameworks like CMMI, ITIL, CobiT and many others that assist in aligning IT with the business, best practice and compliance requirements. What they all have in common is that they set down guidelines, rules and standards that can be verified independently, they all create a badge that can be used to communicate trust in our business and its data, and they all now depend on trust in the digital data/evidence used.
Making Digital Data Trustworthy
The good news is that there are ways and means of creating trust in your digital data, from the simple to the sophisticated, from free to expensive, from pragmatic to unwieldy, from manual to automated.
There is a spectrum of solutions and a spectrum of risk; only you can decide what is the appropriate level for your digital content that is sufficient to create stakeholder trust and protect your data and business. As is normal a cost benefit analysis is recommended once you have completed a risk analysis. So the areas to consider are:-
Regulation of Access (Prevention): The key here is that only authorized persons have access to digital information/data as determined by business need and regulations/laws. The level of access and what an authorized person can do is also an area that can be controlled and managed, perhaps they can just view certain information or they may have rights to change, move or process the data and information. Using the right solution to regulate access can prevent accidental or malicious changes and loss of trust.
User Identity
Roles & Rights Management
Anti-Virus & Spam
Encryption
Biometrics
Securing the Provenance(Prevention): Here we are concerned with the origination and history of the digital data: when was it created, modified, changed, deleted, saved, moved, communicated etc. , also who carried out the various actions from creation.
Date & Time stamp
Content identity & detail
Authorship
Tamper proof & Tamper Evidence
Verification & Functions: Here we are mainly concerned with detection of change whether intended, accidental or malicious. Usability features are also important.
Tamper-proof & Auditable Logs
Instant verification of data as used
On-line & Off-line verification
Convenient digital signature process
Simple integration and embedded technology