Sunday, 11 March 2007

Data Security - Part III

This is going to be the last part of my data security diatribe, although it will be a common theme of future posts as it's where I focus most of my energies these days.

So, we've established the need for Confidentiality, Integrity and Availability in everything we do related to transactions on our network, this is the first thing most of us learn in IT Security. These transactions can be anything by the way, from a financial transaction with an ecommerce site, to logging in to our PC at work, to looking at our bank details online. They all start with a user, use some sort of network, and then end in storage. I like to represent this with a table, thusly:



Transaction Security Table
Transaction
Availability
Confidentiality
Integrity
User
Network
Data


It might not look like much, but think for a moment where you are concentrating your security efforts at present within your network. I'm talking here as though I'm addressing the network administrators, but really it's everyone's responsibility. Everyone who uses a network, everyone who uses the internet.

The security of it is your choice. You can push for change.

If you don't know about the security of the network you are on, why not?
Why aren't you asking the questions?

It's YOUR information they are using, it's valuable to you, and it's valuable to the people using it. You have a right to expect your details to be secure.

If you DO know about the security on your network, most people will still be sticking a pin right in the centre, at the network confidentiality point, maybe to the left and right a little where availability is needed more than ever, and people are savvy to idea of network integrity. This is OK, it's the obvious place to invest after all. But it isn't the whole story.

Let's fill the table in the best I can at present (please note that this is only illustrative, it doesn't pretend to cover everything):



Transaction Security Table
Transaction
Availability
Confidentiality
Integrity
User
Access Controls
Authorisation
Authentication
Network
Wireless, Load balancers
Firewalls, IPS, etc.
Anti-Virus, Change Control Mechanisms, Digital Signatures
Data
Access Controls
Encryption
Digital Signatures


It looks a little strange, doesn't it? Where with user security we have generic terms, with network security we have specific remedies, and with data security we are back to generic terms, except in integrity where I can only think of one solution that is commonly used. I will cover digital signatures and their multitude of sins in my next post.

For now, consider why there are so many solutions for network confidentiality, and the network as a whole... is it because this is the most insecure place? Hardly.
Is it because that's the place from where everything can be secured? Definitely not.
Is it because that's the easy selling point? Aha!

I can draw you a picture on the whiteboard in your office that shows you, or rather the CFO, VERY simply why you and he need a firewall. I can then go to your techies and show them how it's better than any other firewall because it's simpler, more throughput, higher bandwidth, more intelligent, a nicer colour, more complicated, faster, shinier, taller, better looking and better at toasting.

Getting it past the techies is actually the easy bit, any salesman knows this. Getting the attention of the person holding the purse strings is a little harder, the non-technical person holding the purse strings for a technical sale is harder still.

That's the problem with data security and particularly the integrity part. But that's where I am now. Digital signatures, by the way, really don't cut it.

2 comments:

alex said...

Hi Rob,

When talking about "purse strings" and the need to maintain C,I, and A - one thing that you may want to consider is risk.

Just a thought...

Rob said...

Hi Alex,

I've just been reading your Risk Analys.is blog I think, very interesting stuff. I love the diagram.
Yes, you're quite right, risk is a very important part of what I'm talking about, but not an area I'm really involved in to a great extent. I welcome your feedback in this area however.

Rob.

MadKasting