The Data Security Challenge

The field of Information Security is a broad one encompassing twelve domains according to the ISO 27002 standard.  But the focus of Information Security has become cyber security these days, and understandably so given the number and frequency of cyber-attacks being experienced.  However, we shouldn’t forget that information is created from the aggregation and analysis of items of data.  So, ultimately the core objective of the ISO standards is to secure data. 

There are basically two types of data within scope of the standards:  business data and system data.  Business data includes customers and their data, product data, product and marketing strategies, and intellectual property.  But it also includes data regarding employees, legal matters e.g. contracts or law suits, as well as data related to compliance with any applicable regulations.  The loss of confidentiality of this data would seriously impact the ability of a business to operate and jeopardize its competitive standing. 

In contrast, system data identifies the computer technology, both applications and infrastructure that enable a business.  These technology components collect, process and store business data.  But they also provide operating capabilities that deliver products to customers and enable collaboration with business partners.  The loss of confidentiality of system data would enable the malicious parties to shut down business operations, and/or locate and steal critical business data.  Such events would be disastrous and threaten the ability of a business to continue operation.  So, we can see that securing both types of data is essential.

In the midst of ever increasing cyber-attacks there is a growing concern for data privacy.  I attended the Strata Hadoop Conference (http://strataconf.com/stratany2014 ) in New York City earlier this month and much of the Security Track was devoted to discussion of data privacy.  Government regulations e.g. the Gramm-Leach Bliley Act (1999) (GLBA) and the Health Information Portability and Accountability Act (1996) (HIPAA) have mandated that those entities holding personally identifiable Information in the case of GLBA, personal health information in the case of HIPAA must ensure protection of the data.

 

But most people today view the list of regulated data items as being a slim representation of the data they consider to be personal.  We live in a world where large amounts of data on individuals is collected about us daily including the products we buy and from whom, the foods we like, the restaurants we patronize, the political party we support, the list of our friends and family and their contact information; and on and on.  The fact that the exact location of where an individual is now and where he or she has been all day, is information that many people consider to be private and not to be available to anyone with whom they have not explicitly shared it.  And when we place our photos in “The Cloud” our expectation is that no one will see them other than those specifically given permission to do so.  And, by the way, software that can recognize my face in other people’s photos and create a link between us is not a particularly desirable thing. 

As you can see, individuals’ expectations of privacy, greatly complicates the data privacy challenge.  Over the next several months I will explore the data privacy challenge and discuss approaches to risk mitigation and control.