Keeping corporate secrets - the data centric security approach

Just read the eWeek summary for the new book Blown to Bits... (btw, what's up with tag lines and subheadings in books - these seem to be filling up the font page!). The authors discuss the right mix of people, process and security technology that organizations can use to prevent such breaches...

Interestingly enough, the trends they talk about are very data-centric - "Secure the message as well as the medium" and "Address data at rest, in flight and in use"...

In particular I like this paragraph...

"Even with SSL (Secure Sockets Layer) and VPN, strong passwords, fire walls and a flood of security patches, the medium (the network and the attached servers) should be considered inherently insecure. The greatest security comes from protecting the data itself. Even a gargantuan data breach will be of no real consequence if the data is undecipherable."

Could not have said it better - and I could not agree more...

Data breaches: Technology, process or management?

Being part of a technology company, one tends to think of solutions to data breaches as mainly to be solved by technology. Well, with a bit of process thrown in for good measure as well! Did not think much about the important role of management till now...

Just came across an interesting opinion by Jonathan Armstrong, a partner at Eversheds, a law firm. He contends that current best practices of management do not train executives how to respond to crisis - he talks about various types and data breaches is one amongst them.

I tend to agree to a point. However, I also think that it is the type of management and their core values that dictate how such a crisis be addressed. Is management concerned about the customer? Or is management just looking to save face? I can remember the Tylenol crisis and how well J&J handled it.

While I agree with Jonathan that the frequency of incidents have gone up and management needs to be trained better, I also believe if executives have the best interests of their constituents in mind, things will work out okay...

For your hacking pleasure - Cold Boot utilities released!

Interesting news over the weekend. Looks like one of the original researchers from the Princeton Cold Boot attack work, Jacob Applebaum, published all the utilities they used to break full disk encryption products.

We, at BitArmor, have talked a bit about cold boot and how we protect against it. Our CEO Patrick and a few of our senior engineers will be presenting at Black Hat on techniques to prevent this attack - check out his perspective as well from his Princeton days.

Virtualization and information-centric security

Many more of the customers I talk to are focused on virtualization as a core infrastructure strategy. They obviously want to know more about how this will affect how they look at security. While I am not the expert on anti-virus/malware, NAC, intrusion prevention etc, one area that I get excited about is the data protection implications of this trend...

As devices get abstracted and pushed to the background, it appears we are left, at the core, with applications and data. The interactions between the two dictate productivity, security et al. In this context, an information-centric security paradigm becomes even more important.

There are no devices to lock down (these will be virtual - appearing and dissapearing as required). Much of the data will be accessed from virtual containers. Therefore, protecting the data itself, regardless of the applications, the devices, the networks will become crucial in this evolving landscape...

Ecrypt the whole Net!

Now this is a big bite - the folks behind Pirate Bay are developing technology that will allow all traffic between equipped end-points to be encrypted. They are doing this to protect folks from the prying eyes of the authorities - new laws have been passed in Sweden that give the authorities rights to monitor email, web traffic and telephony of individuals. The EFF has a good post about this new law here.

Not sure how all this will be implemented, but will be interesting to follow...

Data protection commissioner?

Never thought a country would have an Information and Data Protection Commissioner - but looks like Malta is taking charge of their data. Interesting article on new laws, expansion of powers, and parliamentary discussions!

Protect everything? Is that a better DLP?

I was reading an interesting post about DLP at Securosis. Rich has deep expertise and an excellent way of explaining what the area is all about...

However, the post got me thinking - how do we reliably understand content in order to differentiate and protect what's important? Do we have easy to manage policies yet? Can the policies adapt easily based on chaning business? Is the technology ready?

I do see traditional DLP solutions being very complementary to data encryption products - one identifies it, finds it and the other can protect it. Nice and easy.

However, I am thinking that maybe an interim step might also be needed before we can get to nirvana of understanding content, proactive policies etc. What if we are able to protect all data (or even data that are on these file shares, laptops etc ) regardless of what is in them - and keep them persistently protected at rest and in motion? Think of it as the blunt approach - similar to using FDE to protect all the contents within a hard drive regardless of the sensitivity of an individual file within.

From a customer perspective, they don't want anyone without the right authorization to see any data - that's all. This can be achieved by persistent, data-centric or information-centric protection without any differentiation based on understanding the content.

Could/should DLP be redefined, thus?

2% of all laptops sold every year are stolen from airports?

Interesting analogy from NetworkWorld on rising rates of laptop loss, but it works! Apparently laptop loss is giving IHOP a run for its money. From the article...

"Some of the largest and medium-sized U.S. airports report close to 637,000 laptops lost each year, according to the Ponemon Institute survey released Monday. Laptops are most commonly lost at security checkpoints, according to the survey."

Over 630K laptops lost each year just within airports! From IDC's Quarterly PC tracker (Dec 2007) we see that over 31M laptops were projected to be sold in 2007. This means that over 2% of all laptops sold in the US were lost or stolen from airports!

Hard to believe. Am I exaggerating or is this for real? Makes me think about how cold boot can be a weapon of choice for criminals to gain access to sensitive data.