Friday, 11 May 2007

Let's get physical

Of course data security isn't just about protecting data when it is in storage, or even when it is in transit on the network. It's about the dreaded DRM, rights management, or who is allowed to use the data, for what.

The real problem we have with data is that once it's at an endpoint, a screen or a printer for example, it is almost impossible to control or secure. Once the data can be seen, it can be photographed, copied, memorised even. What controls do we have then?

When that endpoint is a USB storage device, the threats are even more difficult to control, it is up to the user to decide whether to encrypt the information, copy it, give it out, etc.

Well, there are policies, physical controls, monitoring. Everything you have on your network, you can have in the physical world, only better, and easier to manage. Security isn't just about the network. How many times do I have to tell you!

But this is still something which makes people give up on data security before they have begun. They see data as inherently weak once out of the network, so they hide their heads in the sand, and secure what they see. The network. This is a bad way of thinking, not only does it lead to weak data security, it leads to an over emphasis on network security. It's like buying yourself an armour plated car, but not getting insurance.

The way I like to look at it is to think of the network as your house, and the data as your children. OK, spend a wad on your house to put the kids in to start with, and make sure it's got doors and windows, but don't let your kids play on a building site, make sure they are properly protected wherever they go.

Someone over on PCI Compliance Demystified pointed me in the direction of this piece of writing last week. It is still as relevant today as it was when written 10 years ago.

Consider these 2 pieces of information for a moment if you will, and then look at the state of security today. Do you see a model of data-centric security surrounding availability and integrity of information, with confidentiality applied where necessary? Or do you see a ton of devices cluttering up every server room, all clamouring to be the safest because they claim some sort of extra secrecy for your network?

As Fred Cohen rightly asserts: ", I believe that anyone who thinks that information security is primarily about privacy probably just doesn't know very much about information security."

As I rightly assert: "Anyone who thinks information security is about networks rather than data, doesn't know what the word 'information' means."

No comments: