The whole ICT market is talking about it and the industry is very busy developing applications utilising it: cloud computing, Internet centric networking… The ICT networking and application philosophy where the workstation is nothing more than a window or dumb terminal that lets you access your data and have your processing done elsewhere. Driven by cost cutting and the ever increasing wish for flexible and freely accessible networks we centralize our data processing and we store our data everywhere. The downside of being flexible with the way your data is accessed implies that it may also attract people whose objectives are to steal or modify your data for their own benefit or to hurt you and your company. The explosion of small mobile devices like PDA’s and telephones that have the processing power of desktops ten years ago, the availability of small memory devices that enables you to carry a complete library in your pocket, USB and Bluetooth interfacing techniques that are fairly compatible with anything.. It is too much to mention and a real nightmare for your security staff trying to protect the organizations’ crown jewels.
The logical perimeter where we put our security controls will shift more and more into the direction of the assets that needs the protection, in most cases this is the data itself. Digital data can be stored in databases, written in documents, presented in reports or drawn up in blue prints.
Especially in temporary projects where we need to “quickly” share sensitive documents in an inter-company project team, we have the habit to share this by e-mail. Without any hesitation and apparantly not aware of the risks we send valuable information over the public internet in clear text. Not sure who is looking at it while in transit or not really knowing who will be receiving it. Just take a look in your own working environment, how many people you know use for example a personal e-mail certificate, how often are solid agreements made on use of (sensitive) data. Do we think about whom we trust and who we do not trust, do we think about authorization levels on who is granted to read, modify, copy or print a certain document? Are the security measures we did implement effective, workable and how would we know?
Oh yes, work group packages and portals that partially can handle this information exchange in a secure way exist. However, in many cases it is the security policy or network configuration of one of the parties that prohibits use of this. In a temporary project there is often no time or budget to get this working so we forget about it and we move forward with the project in the usual insecure way.
In order to gain some artificial trust between parties we setup a “Non-Disclosure Agreement” to avoid that sensitive data is disclosed. This would cover the load we think, but it is not.. The NDA says that we keep the secrets between us only but not on how to keep it secret and the way we deal with data internally. What will happen with the data after the project is finished or a project member has resigned taking data with him? Who guarantees that sensitive data will not become public because a laptop has been stolen or after its lifecycle thrown away including a not properly erased hard disk?
Despite all certification programs and policies made based on ISO2700x / SOX / PCI DSS which can help to cover this kind of issues it will be almost impossible to close the security gap completely where also costs can be still justified. Especially if only network or physical perimeters are secured and not the data itself. This became very hard because sensitive information in data files is so mobile and easy to distribute nowadays.
Of course we can secure the perimeters of our private networks and buildings even further with security controls like tightening the firewall policies and intrusion prevention systems and we may search everyone at the premises entrance. We should wonder if these measures wouldn’t be too complex, hard to manage and costly or even unworkable if we need to rely on these security controls alone. By the way, try to find a memory card with the size of a thumbnail that may contain the full blueprint of a stealth jetfighter or all diplomatic messages from the last ten years on a person and his bags? Do we want to scan laptops, PDA’s, telephones and USB sticks at the door? Maybe the bad guy did encrypt the stolen data himself or he used steganography techniques to hide it in a .jpg picture so we cannot recognize or even find it?
No, at the end of the day we would like to avoid that people without the right authorization based on their role cannot read, modify, copy or print the data itself. This is where another security control must be aimed at. The way data is approached or distributed becomes less important, we should find ways to secure the data itself. Who is authorized and who is not, how are data permissions defined and what authorization levels apply. Role based access control systems, authentication, and encryption will become more important.
The combination of new philosophies like cloud computing, de-perimeterisation, Jericho in existing techniques like encryption, certificates, PKI and biometrics together with extensive use of file based attributes will force us into a new way of working with sensitive information. A way of working that uses the network itself as a free way where security controls will move from the perimeters to the end-points being the data itself at one end and the client using it at the other end.
Marcel is a Managing Consultant, CISSP-ISSAP and ISO27K Lead Auditor certified. Specialised in IT Security and Unified Communications at Orange Business Services in Amsterdam since 1998. Marcel has more than 28 years experience in the Electronics, Offshore and the IT industry where he fulfilled roles in Electronic Engineering, Project Management, Operational Management, Quality Management, Managed Security development, Compliancy and Consultancy Risk Assessments.