Information Security Required – Not Infrastructure Security
Information security is one of the fastest growing niches in ICT today with many organizations looking at adding security or improving it. A constant stream of data losses, privacy breaches and hacking successes are fed to us through the popular and technical press on a far too frequent basis.
Many countries, and some industry groups, have introduced legislation and regulation to combat this growing risk with moderate success. As with all technology-related initiatives these approaches significantly lag behind the real world though. Hackers are more clever, more devious and the systems are becoming more complex than existing approaches can cope with.
So what do we do?
Fire 95% of the Information Security professionals.
Not since the introduction of Microsoft’s Certified Systems Engineer (MCSE) accreditation have I seen such a poor influx of “professionals” that believe they know what they’re doing.
Most people agree that security is a process. If so, why are there Information Security specialists and teams within most companies? Are these specialists really embedded into every business process – able to cross the floor between technical and business staff, or are they just part of some comfort blanket for upper management?
“There is always some more knowledgeable than you.”
The one thing I’ve always lived by is that there is always somebody, somewhere in the world that knows more about a particular IT topic than the supposed ‘expert’. I dare say, many of these individuals will comment on this post.
However, somebody with a certification is like my 13 year-old son with a fact. He thinks he knows everything about the topic and continues to pass on his expertise to anybody that will listen with a thick slice of arrogance. As my friend says, he’s so stupid that he doesn’t know what he doesn’t know. An Information Security specialist is typically somebody that has a very limited understanding of business, technology and security thereof.
“Information security professionals are typically infrastructure security specialists.”
The normal approach these professionals take are all infrastructure based. Let’s introduce a firewall here, an IDS there and a web content filtering solution here. We can then supplement this with some anti-virus software, a dash of Active Directory management and mix it all thoroughly with enough encryption and complex procedures to make it difficult for the business to do anything. In reality, these security professionals are generally creating an illusion of security through obfuscation. It’s a smoke-screen and doesn’t really address the problem of information security.
They think that by labelling networks as good or bad or that isolating systems from on another in DMZs creates secure information. The theory goes ‘if they can’t break into our infrastructure, they can’t steal our information’.
The theory is flawed my friends.
Such professionals need to take a friend, or colleague, down to the local fish market and procure the largest, slimiest fish they can find and slap themselves with it … repeatedly.
“Wake up sheeple, it’s 2009, not 1999 and the world has moved on.”
How many businesses today want to be more agile? Want to work with mobile technologies? Want to work from home, the office, a hotel room or the surface of Mars? Does it matter if I use my personal iPhone, personal laptop or business desktop? What about using twitter or using AJAX on our web site to send data? What about publishing custom APIs to our partners so they can interact with our data?
And how many times do these same businesses hit the Information Security roadblock? I’m sorry Dave, you can’t do that. It needs to be an approved device, on an approved network using approved software and approved protocols.
And this is a problem many enterprises face today. Information wants to be free. Information Security people want to restrict it because it’s too difficult to protect something that’s freely roaming around the ether-sphere. And because you’re only protecting the information indirectly you can’t adapt because infrastructure protection doesn’t work today.
When Barack Obama goes to Burger Town, Iraq or the bathroom in the White House his security cordon is modified. His value hasn’t changed, his environment simply poses different risks so the cordon is modified accordingly. The protection Michelle Obama receives in Iraq will be different to her husband’s not because of the environment but because of her. She’s just a less valuable target.
We need to do something similar with information security. We need to identify the assets, rate them in terms of value and understand the threats posed to them in particular environments.
If the antivirus software on my desktop is up-to-date do you need to block my access to gray sites. Do you need to stop me downloading that .exe? Just give me a desktop for a day and trash it when I log off. My data is stored elsewhere so you can blow away my desktop every night.
“Lets move from the indirect protection of information and move to direct protection.”
If our information security protocols could be attached to our data assets we’d then be able to make sure they were always protected, no matter how they were being accessed on which device or in any location.
“Houston. We have a problem.”
For us to achieve this nirvana we need to classify our data though. The most intelligent computer algorithm on the planet will never be able to fully understand the business value of a piece of data. ‘123 Main St’ is an address. It could be a customer’s address, an office address, scene of a crime, a place of business. It could be anything, it all depends on the business context.
If this address was marked as a customer’s address it becomes obvious. Now we know it needs some protection and we can instigate policies to protect it. We can probably also apply the correct encryption methods when we email it or back it up. Everything becomes easy when we know what the data is.
Appliances sniffing network packets may be able to recognize keywords and make assumptions but they’ll be wrong far too many times to be practically useful.
Information needs to be classified. Google knows this and this is why it’s not supporting microformats and other specifications that markup data and attribute value to them. For Google, it’s about managing data, making smarter algorithms and presenting more accurate results. For businesses, it should be about managing and protecting information assets.
How many enterprises archive data rather than retain it? How many enterprises understand the different between retention, archiving and backup?
You can’t retain information for the correct amount of time if you don’t know what it is. You need humans to do the tagging and bagging, not computers.
Information Security professionals need to start doing their job and stop focussing on infrastructure. They need to take a direct approach to information security and become more business-oriented. Any organization that collects, processes or stores data is morally liable for its protection regardless of legislation or regulation. At best, a data loss would lead to a loss in customer confidence. At worst, it could lead to the demise of your whole business.
If data was classified it becomes possible to track it and ensure every system is protecting it sufficiently. Without that classification it’s like going fishing in the Atlantic with a revolver. Good luck.