Security experts criticise government database plans
Published: 19 Jan 2007 12:28 GMT
...an SOA [service-oriented architecture] environment, sharing a single user record, said Kramer. It increases the security risk of data loss or theft.
How secure are the links between them? Are there going to be duplicates of the records? How will they link the two? What if one becomes corrupted?
Greg Day, McAfee
Sarah Burnett, senior research analyst with Butler Group, who specialises in public sector IT schemes, praised the idea behind the data-sharing recommendations, but said it was unworkable in practice. Support for the scheme from employees would just not be consistent, according to Burnett.
"We all want to modernise government services, but there has to be buy-in from the people on the ground. They need to deliver data of a consistent quality," said Burnett. "Whether it's single sign-on or a super-database, such a huge thing will never work because you won't get everybody committed and delivering quality data all of the time."
Sharing data between the DWP, IPS and IND databases would lead to serious problems because of the differences and incompatibilities in the systems, according to Burnett.
"Different systems have different data and different reference systems. I've been involved in projects where the local police share data with the local fire brigade, where, because they are independent organisations, no-one takes the lead," said Burnett. "IPS has accurate data, but when merging with the DWP — which has an absolutely vast database — the challenge will be getting it to operate in a similar way."
Burnett said that the recommendations to relax the Data Protection Act, which have alarmed the Information Commissioner's Office, would have far-reaching consequences both for individuals and businesses.
"Whatever they do to the DPA will affect the private sector. Potentially we could go back to the days of personal data being shared without our knowledge. I'm sure some parts of the private sector would love that, but as individuals we wouldn't like it very much. We need some level of control. Changing how IT records systems and policies operate will cost businesses money," said Burnett.
Paul Davie, founder and chief executive officer of database security company Secerno, is concerned that the creation of a government super-database would create far too tempting a target for identity thieves.
"What worries me is the increased risk," Davie told ZDNet UK. "There has been a rise in identity theft, with 1.6 billion attempts over the last three years in the UK, with an individual street price of $25 (£13) to $50 for personal details. If you're joining databases, you're creating a tremendously more valuable resource for ID thieves. Because you're data sharing, you can get at so much more data."
Most database security revolves around authenticating users onto a system and granting access privileges. However, that model is open to serious abuse, according to Davie.
"If you have a system with many more authenticated users, you need to control who uses the system and what they're doing. You may think you know who is using a system, but it could be someone using a colleague's machine. With authentication there's no emphasis on who is doing it."
McAfee's Greg Day agreed that the government plans raised many security questions.
"There are a number of security questions if [the government] are sharing between three databases. How secure are the links between them? Are there going to be duplicates of the records? How will they link the two? What if one becomes corrupted? What's the recovery time for the computer record, and where do you go to get [erroneous] details amended?" said Day.
"A huge question revolves around the security of the entire system. Who has access, and how are they validated? We've seen in India call-centre people selling off customer records for £4 a shot," Day added.
Previous
Did you find this article useful?
12 out of 12 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
