Encrypted is not a boolean variable

Let's face it, encryption is a new thing, and you have to

keep things simple so people can understand it.

But it frustrates me that most of the talk about

encryption technology, law, policy, compliance, etc is

always in terms of "encrypted" vs "unencrypted". Yeah,

all your data should be encrypted. But that's the beginning

of the discussion, not the end. Encryption is easy.

Protecting data is hard.

Once you use strong encryption to protect your data, you

have real security. That sounds great, but the flipside is

that your company's security policy is probably a pile of

paper in a drawer that no one reads or updates, and does

not correspond to reality. How do you organize your data,

backup your data, share your data, manage your data ...

frankly, how do you USE your data in an encrypted

world? Encryption is coming. You need to think about it

now. Do your homework. If you don't, you'll be paying for

your lack of preparation for years.

-Tim

BTW this blog post is encrypted with no less than three

proprietary encryption algorithms (ROT-13^2,

XOR-0x00, and CAESAR-26, among others) and therefore

cannot be read by anyone. "encrypted == true" !

Bernanke hit by ID breach

Did the thief think he could cash into the billions that the Fed chief oversees :) Or maybe he was looking for a bailout himself!

Will this put some fire under the administration to think seriously about national laws for breach? Always seems to happen when something hits close to home and personally...

Interesting news, nontheless...

Dirty secrets and the non-existent perimeter

The perimeter is dead - long live the perimeter (the new perimeter, that is). Which obviously is the data.

I am also intrigued by an article by Joshua Corman from IBM, in CIO magazine, that discusses this. Check out Dirty Secret #3. "There is no perimeter". I love it. Mostly because it is true. And for some small selfish reasons as well... :)

Here is what he says - very eloquently, I might add..

"We need to define what the perimeter is," he said. "The endpoint is the perimeter, the user is the perimeter. It's more likely that the business process is the perimeter, or the information itself is the perimeter, too. If you design your security controls with no base assumption of a perimeter, when you have one you are more secure. The mistake we tend to make is, if we put the controls at the perimeter, then we will be fine. For many threats, we couldn't be more wrong."

The bold emphasis above in mine - and not from Joshua. But I do it to illustrate my point (which I put forth in a recent blog on the benefits of an information-centric security approach as well). Security professionals need to move beyond the perimeter and thinking that has dominated for the past 30-40 years and recognize the world is different now.

For heaven's sake, the internet that allows for rapid dissemination of data and collaboration is already a teenager! Why do we still protect this environment with stuff built for the 70's?

Benefits of information-centric security

For a while I have been meaning to write a short article on what I think information-centric security is - so here goes.

Organizations have focused on securing sensitive data by protecting the infrastructure that hosts the data. This could be implemented by hosting the servers inside a data center, using firewalls and similar perimeter protection techniques to prevent external attackers, encrypting whole drives or encrypting networks. I think of these as protecting data by proxy - i.e. protect the network to protect the data, protect the perimeter to protect the data, protect the device to protect the data.

Information-centric security is the concept of focusing the protection on the data itself as opposed to the device – protection that stays with the data while at rest and while in motion. Access controls and other policies are embedded in data and follow it wherever it goes - thus enforcing these policies at the data level, regardless of where the data is.

This approach has several advantages:

• Continuous protection: Data always remains protected since it does not get decrypted as it moves - this has performance benefits as well as security benefits
  
• Device independence: Data can be protected regardless of the devices it rests on or travels between. For eg, it data moves to a USB device, to a backup tape, it still remains protected. No need to deploy a USB protection solution or a backup tape solution separately.
  
• Enabling secure collaboration: Since the data remains persistently protected, you can share it better - the proper access controls of who can access the data remain with the data itself! Therefore data can be self-defending. No need to provide access to networks, file shares etc to share data.
  
• Lower costs and complexity: all this comes down to much lower costs and complexity - no need to have multiple device or network centric products protecting data and that too by proxy..

I think the world is moving to such a method of protecting data - the old ways are untenable in today's world of exploding data and the requirements to share and collaborate.

The same TJX hacker?

How many more breaches were perpetrated by Albert Gonzalez? According to new charges, he is saddled with TJX (from before) and now with Heartland as well as Hannaford! The guy has been busy, no doubt.

What was it that made these breaches similar? And what did we not learn from the first ones that we let Albert and gang do it again and again? Obviously there are many theories - but my view is, at the end of the day, infrastructure protection can get you only so far.

We need an information-centric approach to protection where the focus is not on the pathways, perimeters and devices, but on the data itself. Imagine if this were the case in the above breaches, where data was stripped of networks, or from servers. If that data were protected at rest and in flight, it would not have mattered if the data were copied outside the company - it is protected! It remains encrypted!

Better, more logical and more effective security. But seems like folks are still in the rush of "protect the infrastructure"...