Placing data in silos

November 23, 2007 at 11:22 pm 3 comments

Talk about timing.

Just hours before UK’s Chancellor Alistair Darling revealed to MPs the loss of 25 million personal records, Government CIO John Suffolk gave a blunt warning about the danger of creating more giant government databases. He said, “To put more eggs in single basket is a foolhardy approach. The best way to protect data is to say: this data is for specific purpose, put protection around [it].”

He went on to say, “There is a balance to be struck. It’s nonsense to assume or even think about a central database or central clearing house.”

As Kim Cameron said in his blog post, “To me this is the equivalent of assembling a vast pile of dynamite in the middle of a city on the assumption that excellent procedures would therefore be put in place, so no one would ever set it off.”

“There is no need to store all of society’s dynamite in one place, and no need to run the risk of the colossal explosion that an error in procedure might produce.”

In my first post about the data loss, I mused, “Perhaps the time has come when identity systems are based on an assumption that peoples’ personal information is not secure.” On the same lines, Kim said “the information that is the subject of HMRC’s identity catastrophe should have been partitioned – broken up both in terms of the number of records and the information components… no official (A.K.A insider) should ever have been able to get at enough of it that a significant breach could occur.”

That got me to do a mental check about the online identity and authentication systems being put into place in New Zealand. Though the service is presented to people as a single, integrated service (igovt), under the hood there are two separate services (Government Logon Service and Identity Verification Service) run by two separate government agencies with two separate databases.

This ensures that in the unlikely event that a breach does occur, even then no single database has all the information. The check provides a measure of confidence that the NZ services are designed right from a breach perspective.


Entry filed under: data_breach, fraud, government, identity, ID_cards, igovt, NZ, personal_info, privacy, security, strategy, trust, UK.

Lose data, lose trust 2 EC report: New trust pact required

3 Comments Add your own

  • 1. Mike(p)  |  November 27, 2007 at 10:01 am

    I’ve always designed systems on the basis that one day they will be compromised. A good design will (*) show evidence of being compromised (*) minimise/control the damage (*) simplify recovery. What else?

    Another design approach, is instead of strengthening the protection; is to remove the incentive. Removing the incentive might mean jail or reducing the value of any record stolen by making it of little use. Current approaches seem to want to lock more public information (like birth records) up and hide it, rather than remove the incentive. What do you think?

  • 2. Vikram  |  November 27, 2007 at 8:26 pm

    Thanks for the comments.

    One of the obvious ways to protect data is to encrypt it fully. Another is to hold the minimum amount of data for only as long as it is required. This is in line with your removing (or reducing) the incentive comment.

    Not so sure about the “evidence of being compromised” bit. That’ll work for many attacks but what if, as seems to be the case in UK, the standard operating procedures were faulty? This wouldn’t show up as a compromise of the system.

    Designing systems on the basis that one day they will be compromised sounds sensible. This means that the system is designed to look for breaches and react quickly rather than having an artificial sense of infallibility.

  • […] will never get through an online service is impossible. Instead, in addition to data encryption, splitting data into silos such that no single breach- external or internal- results in getting all the information is a […]


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

This blog is no longer updated. See the About page for more info. I'm currently active on Twitter.

Follow me on twitter

Error: Twitter did not respond. Please wait a few minutes and refresh this page.


%d bloggers like this: