Crossroads Blog | Institute National Security and Counterterrorism

Cybersecurity

It’s the Data, Stupid: Moving to a Data-Centric View of Security


Opinion: It’s the Data, Stupid!

Dick Egan who was one of the founders of EMC, a company that I spent a significant portion of my adult life working in, had a sign in his office that read “It’s the product, stupid.”  To Dick, it really was all about the product and that thought process translates well into the world of cyber.  In cyber, everything comes down to the data.  Who has access to it, where is it stored, how does it move, where does it move — Data is King.  So why then do we spend the bulk of our resources (both technical and human) trying to secure networks and edge routers and operating systems when what we really care about — what really matters is DATA!

A recent article by Jack Danady that appears on ITProPortal makes five predictions about Cybersecurity in 2016:

  1. Election-year debates will likely discuss privacy issues surrounding data;
  2. Cybersecurity will move from a buzzword to mainstream usage;
  3. Terrorist sponsored cyberattacks will increase in both frequency and impact;
  4. Certification and Training programs will spring up everywhere;
  5. Increased civil liabilities and settlements will force industry to adopt cybersecurity standards

This sounds interesting, but do the 2016 predictions really say anything of substance?  When I look at the five key items mentioned they all seem to be largely reactive, be it the result of the IRS data exfiltration, the OPM Data Breach, the Snowden and Manning leaks, the SONY settlement.  It seems we are looking at cybersecurity by determining what is the lowest level of cybersecurity expense that can be incurred in order to minimize liability.

Perhaps a better approach would be to think less about what fences do we need to erect (e.g. network defenses) and instead focus on what we are actually trying to protect — It’s the Data Stupid!  In nearly all the cases mentioned above, OPM, IRS, Snowden (at least everything gleaned using his WebCrawler), merely using encryption to protect data would have prevented an exfiltration of readable unencrypted data.

At some point C-Suite executives and Public Sector CIOs are going to have to grasp the concept that for every fence that is built there will be an opening through which some attack can be undertaken or as in the case of Manning and Snowden, the attack will come from within the protected area, rendering exterior protections useless.  If the focus is on securing data in its various states: at-rest; in-flight; and in-use, then basic rudimentary steps can be taken to mitigate an attacker’s ability to obtain usable data.

Furthermore, in the case of insider attacks if encryption is leveraged with two-person controls; meta tags and automated log analysis, even if a breach cannot be prevented it can be detected real-time to substantially mitigate the amount of data that can be exfiltrated.

Leave a Reply

Bitnami