The Data Security Challenge

The field of Information Security is a broad one encompassing twelve domains according to the ISO 27002 standard.  But the focus of Information Security has become cyber security these days, and understandably so given the number and frequency of cyber-attacks being experienced.  However, we shouldn’t forget that information is created from the aggregation and analysis of items of data.  So, ultimately the core objective of the ISO standards is to secure data. 

There are basically two types of data within scope of the standards:  business data and system data.  Business data includes customers and their data, product data, product and marketing strategies, and intellectual property.  But it also includes data regarding employees, legal matters e.g. contracts or law suits, as well as data related to compliance with any applicable regulations.  The loss of confidentiality of this data would seriously impact the ability of a business to operate and jeopardize its competitive standing. 

In contrast, system data identifies the computer technology, both applications and infrastructure that enable a business.  These technology components collect, process and store business data.  But they also provide operating capabilities that deliver products to customers and enable collaboration with business partners.  The loss of confidentiality of system data would enable the malicious parties to shut down business operations, and/or locate and steal critical business data.  Such events would be disastrous and threaten the ability of a business to continue operation.  So, we can see that securing both types of data is essential.

In the midst of ever increasing cyber-attacks there is a growing concern for data privacy.  I attended the Strata Hadoop Conference (http://strataconf.com/stratany2014 ) in New York City earlier this month and much of the Security Track was devoted to discussion of data privacy.  Government regulations e.g. the Gramm-Leach Bliley Act (1999) (GLBA) and the Health Information Portability and Accountability Act (1996) (HIPAA) have mandated that those entities holding personally identifiable Information in the case of GLBA, personal health information in the case of HIPAA must ensure protection of the data.

 

But most people today view the list of regulated data items as being a slim representation of the data they consider to be personal.  We live in a world where large amounts of data on individuals is collected about us daily including the products we buy and from whom, the foods we like, the restaurants we patronize, the political party we support, the list of our friends and family and their contact information; and on and on.  The fact that the exact location of where an individual is now and where he or she has been all day, is information that many people consider to be private and not to be available to anyone with whom they have not explicitly shared it.  And when we place our photos in “The Cloud” our expectation is that no one will see them other than those specifically given permission to do so.  And, by the way, software that can recognize my face in other people’s photos and create a link between us is not a particularly desirable thing. 

As you can see, individuals’ expectations of privacy, greatly complicates the data privacy challenge.  Over the next several months I will explore the data privacy challenge and discuss approaches to risk mitigation and control.

Information Security:  What’s Old Is New Again

Cyber-attacks with accompanying data breaches have become headline news with increasing frequency.  These reports have resulted in a pervasive state of panic among corporations, especially those whose business is financial services, as well as across the general public.  The attacks are occurring more frequently and becoming more costly in dollars and reputation for the targeted companies.  Indications are that the situation will only worsen over time.

Why, one might ask, have the attackers been so successful of late?  Have the attackers developed some advanced methods requiring combatant capabilities that have yet to be discovered?  Are we doomed to have our valuable information pillaged and plundered by criminals?  I have read about “Heartbleed” and the Target breach, as well as the JP Morgan and Home Depot breaches, and discovered that no new security tools or methods would have been required to prevent them.  The methods to prevent and defend against cyber attacks are known and the tools are available and in many cases already installed.  So, what is the problem?  Jaime Diamond of JP Morgan Chase hit the nail on the head when he said “JP Morgan plans to spend $250 million on digital security annually, but had been losing many of its security staff to other banks over the last year, with others expected to leave soon” (quoted from the New York Times Deal Book, October 2, 2014).  Although his statement pertains to JP Morgan in particular, it is actually indicative of the problem of companies providing information security in general.  Information Security within corporations has typically been understaffed and underfunded. 

Historically it has been extremely difficult for Information Security departments to demonstrate the need and urgency of allocating funds and hiring sufficient staff to fully support the function.  It’s been a bit like convincing someone to buy an insurance policy to protect against some potential event that may never occur.  Businesses will opt to put their money toward the things they know they can accomplish, rather than on things that are doubtful.  So, when it’s time to tighten the belt, the Information Security budget is a prime target, and when it’s deemed time to down-size or right-size, Information Security staff are likely the first to go.

Two events have occurred in recent years that are beginning to affect this corporate stance.  First there is the fact that regulations now require corporations to notify customers when they’ve experienced a data breach.  The second is that the volume and frequency of successful attacks is on the rise.  The result of the two events is that corporations have been forced into the un-wanted limelight, clouding their reputation, costing them customers and inviting the scrutiny of government regulators.  I believe this situation will drive a change in perspective toward the need and urgency of information security.

We have come to an unfortunate state of affairs, but it may be the beginning of a new day for information security; one in which adequate staff and funding are provided to enable development of repeatable processes and controls, as well as effective use of tools to build the strong defenses needed to combat the cyber attackers.