Wednesday, September 2, 2009

Another case for information-centric security

The more I read about how criminals are breaching the perimeter and getting access to sensitive data in an organization, the more I am convinced an information-centirc approach is the only way to go.

Case in point is the recent article from Information Week - 5 Security Lessons from Real World Breaches. Fun stuff!! Here is a short excerpt from one attack the article describes - the conclusion..

"...The attackers used the compromised server as their home base. They deployed tools and scanners and spent several months meticulously mapping the network without being detected. Once they found the systems that contained the data that they were looking for, they simply copied the information, put it into a Zip file, and moved it out."

Emphasis above is mine - basically compromised a server and then copied data out. This data-at-rest protection being perceived as the end-all, is making me frustrated. If this data were protected using an information-centric approach - i.e. protect the data and keep it protected at all times (at rest and in motion), this would have been much harder. All the criminals would have gotten is encrypted data.

I am also looking at the 5 guidelines/conclusions from the report and besides a short mention of layered security and isolation, there is not much emphasis on data protection. I think the authors are missing the point. You can never have enough perimeter security - IDF/IPF, anti-malware works only to a certain extent.

You need to recognize that data is the critical asset,not the network or the server. Protect the data, damn it!!

No comments: