Information used to be about ‘stuff’. You could touch it, pass it to someone else, or hide it if you didn’t want to share it. Such was the case with my homework. I (being of a certain age) would ‘share’ information with my teachers by writing it on paper and passing it to them. I also had to hide it so that the dog didn’t get his paws on it and destroy it – after all you only really get to use that excuse once. I wonder what the modern equivalent of that old excuse is: “the dog hacked my e-learning account and deleted my homework” maybe?
Anyway, back to the point. I’ve been thinking about security in a data-centric world and recent attacks. As always, they ‘attacked’ the network but the target was the data. For example:
CryptoLocker, having breached your network security, is an attack on data at rest (think – the dog didn’t just delete my data; he re-wrote it in an indecipherable language.)
Edward Snowden didn’t sneak into a filing room to take covert pictures of paper documents – he simply downloaded 20,000 documents onto memory sticks without leaving a trace.
Take ATMs, thousands of security experts focus on keeping the cash in the ATMs until such time as an authorised user (you and me) asked for our bit of it. But by exploiting the short lifetime of encrypted data in transit, hackers at this year’s Black Hat security conference have managed to convert an ATM into a very generous slot machine.
And then of course there is Project Sauron…
For a long time security has been a network-centric challenge (control access to an increasingly vague perimeter). But if you step back and look at the bigger picture; it’s not about access, but rather it’s about the ‘stuff’ (aka data). By taking a data-centric view; you can redefine how you think about security as it’s really only vulnerable in three states:
At Rest: On whatever media, data at rest is vulnerable to being accessed through channels other than those anticipated
In Transit: During transit data is vulnerable to redirection and interception
In Use: Applications are vulnerable to being fooled into disclosing information using techniques such as SQL Injection and Cross-Site Scripting
With this in mind, securing your data becomes less about an ever increasing arms race to deploy better and better network protection; and instead becomes a more considered response. Put simply: Encrypt all data at rest, deploy micro-segmentation technologies to prevent interception, and use technologies (in the case of our solutions, from Citrix Systems) to centralise and then secure the delivery of applications and data.
At Cetus Solutions we take a strongly data-centric viewpoint. If you bake in data security in a way that protects data in each of the three states above then, for the most part, you can stop worrying about the borders/perimeter; and instead build an inherently secure, data-centric infrastructure. What’s more, by simplifying and standardising how users gain access to sensitive data, you can make their lives much easier as well. Never a bad thing that.
Anyway, I must go – my bank just emailed asking me to follow a link to confirm my PIN number and password, and I’d hate to keep them waiting…
PS – That’s my dog – his name is Charlie.