« All Articles

Evidence Management Data Security and Infrastructure Overview – Part 2

July 28, 2021

Is your agency’s data at risk? In Part 2 of this webinar, we dove into the topic of data security. More than ever, the focus on the protection of sensitive and critical data is a result of growing cyber risks and increasingly stringent data security regulations. 

Ben Townsend, the Founder and CEO of Tracker Products, continued the conversation by saying, “I found this really cool statistic a while ago. Maybe I’m the only one that finds this interesting, but I want to read this out to you. The Amazon S3 cloud storage is where all of our media is being stored. I think that our bucket inside S3 contains millions of images. Here are their data protection statistics… 

amazon s3

For example, if you store 10 million one-megabit pictures on Amazon S3, you can, on average, expect to incur a loss of one image every 10,000 years. That is a high level of durability. So it is improbable that you’re going to lose a single image, or even one in 10 million images, over a very long period of time. When I read that, and I know that’s very complex, it makes me feel better. 

There are technical engineers whose jobs are to make sure this stuff is up and running. I feel significantly better about my data being there than I do about having it on the hard drive that’s sitting in my house; where if my kid drops a drink on it, all of a sudden I’ve lost everything. 

When you think about points of failure… we have a web-based product. We have infrastructure that can fail. We have people that can fail. And, we also have coding during development that can be done wrong.

coding and development

You could have the best infrastructure in the world, and you could have people doing all the things that they should be doing, but if you’ve got code or old libraries in place it opens up an opportunity for somebody with malicious intent. 

So, on our end, we make sure that as we develop software, we are constantly updating all of our servers, making sure they’re patched and all of the antivirus and Malware protection is in place. Because when you do that, you’re less likely to have problems. 

Remember what I said earlier? This is a constant pursuit of perfection. You will never attain perfection. You’re just trying to limit your exposure to threats as much as possible. We use coding practices that prevent unwanted access to data. Literally, the worst problem in our world would be telling somebody we lost data. The second thing would be if we experienced unauthorized access. 

As I get into this a little bit deeper, I’ll explain all the different areas we go into; making sure that our code is good to go. Our development team does code reviews. Everything that is developed… multiple people put their eyes on that code to make sure that we’re not developing things that are going to create a problem.

There are also systems that I’m going to get into a minute that will even further check all of that. Our development is always done with a permissions-first mindset. Every time something is developed, the very first thing that is considered is…  How does this affect security? Because in the end, everything below that is secondary.

The last thing is, we also use password managers for all of our data access. So, now that the code is done, the eyeballs have been put on it, and we feel good about it. We submit our code into a quality assurance process, where we have a team of people that will analyze the code. They’ll use software tools, and they will try to find security flaws because we don’t want a client to find a bug in the software.

Honestly, in the past we did get calls from people that said, Hey, we found a problem. But, I know today that is far less likely to happen. I would be willing to bet that 99 out of 100 flaws that are developed within our software are found by our QA team. So, they’ve got a lot of systems that they use to reiterate and go back through things that have been developed. Every time we develop something, it goes through the entire gamut of testing before it goes out into public. 

The next step and this is critically important, is Penetration (Pen) Testing. We hire a third party company to attempt to hack our software. They are using the same tools that hackers will use to attempt to find security, flaws, and holes in our infrastructure.

One of the different things that we try to comply with is the OWASP Top 10. For anybody that’s in coding and stuff like that, that’s where you get into Cross Site Scripting, SQL Injection and things like that. 

So again, this third party company will test it by attempting to hack it. And then, they come back to us with a report that says, here’s what your grade is. If they find any flaws, we will fix those flaws before that stuff ever goes into production. 

On top of that, some of our larger clients, that actually have internal teams, will do security testing on software. Those people are constantly testing our software. Every once in a great while they’ll come back and say, Hey, we did testing and found this hole in your system. I can’t even imagine the amount of testing that goes into our software, including Pen testing, before something ever runs out into production. 

The next step is disaster planning and recovery. 

disaster planning

Imagine you’re in an evidence room and you have a water pipe running overhead. Our compliance person would walk in, and the first thing they would say is, What happens if that pipe bursts? What happens if somebody gets through that door over there? It’s amazing, some of the evidence rooms have unprotected windows to the outside. A compliance person would walk in and would say, What happens if somebody gets through that window? 

So, disaster recovery planning and recovery is going through the exercise of considering what happens if something fails. As I mentioned earlier, we don’t have any single points of failure in the system. We also do full snapshots of all of our systems, every 12 hours. We have redundancy built into the system, we’re doing snapshots and data backups, and then we’re storing those data backups on that S3 infrastructure that only has a chance of one in 10 million objects of data being lost every 10,000 years. 

Thankfully, in 15 years of doing this, we have not lost a single piece of data. We have had clients lose data; probably a dozen different clients have lost data. And every one of them were on PREM systems, where we weren’t in charge of the system, the backups, and the security. 

There is no more heartbreaking feeling than somebody calling on the phone and saying, Hey, that server with that data is now gone. And they look at me like, What can you do to help me?

Unfortunately, my answer, if you don’t have those backups is… All of that stuff is gone. 

Most people in today’s world say, I’d rather my data be on your end than on mine. Not particularly for lack of faith in their own people, but in the end, this is our job.

The very last thing I want to throw out is…  your culture and your accountability for all of this stuff. We are constantly talking about this. It’s the life blood of our organization. If we fail in this regard, we fail monumentally. So, we cannot afford failure on this part. Our compliance person is putting things in place to pursue that level of perfection. We won’t attain it, but we’re constantly moving in the right direction. 

So, I would encourage you to at least look at some of the evidence management practices on your end, because many of you are housing critical digital evidence. I would encourage you to go back and ask your people, What kind of redundancies are in place? What happens if that USB drive fails? Because you may be the person that helps them avoid a colossal nightmare of data loss or a security breach. Simply asking the proper questions can help immensely.”

Tracker Products and The Evidence Management Institute want to give you something productive to think about during this time of uncertainty… a series of free evidence management training and panel discussions. Watch and comment on the webinars here. Or – to get in on the discussion, with nearly 600 other evidence custodians – join the Evidence Management Community Forum on Facebook.

Tracker Product’s SAFE evidence tracking software is more than just barcodes and inventory control, it’s end-to-end chain of custody software for physical and digital evidence, resolving each of the critical issues facing evidence management today. To learn more about Tracker Products, CLICK HERE.

Or, if you’re interested in Evidence Management Training from our partner company, VISIT EMI HERE Protection Status