Big Data might be the big thing this year, but it’s just one step in the evolution of enterprise information systems. Each year they become more powerful. As do the capabilities of their users. Forget the ‘least privilege’ principle. It’s only Data Protection law that limits what they can access.
Such a landscape can no longer be policed by humans and procedures. Technology is needed to leverage security controls. The Golden Triangle of people, process and technology needs to be rebalanced in favour of automation. And I’m speaking as a pioneer and highly experienced expert in process and human factors.
You may wonder where the Triangle originated. Contrary to popular opinion it was not invented by Bruce Schneier. I can’t help you before 1990, which is when I first encountered it in Shell. At that time it was being used in operational research circles.
I first used it in 1991 to help balance the content of the Shell baseline security controls, the forerunner of BS7799 and ISO 27002. Back then we wanted to embed procedures to support ISO 9000 adoption. We also wanted to place more on user awareness. We sought in fact a perfect balance of controls for people, process and technology.
Today I’d ditch the Triangle. It’s become an argument against excessive focus on technology. Yet that’s what we now need. There’s nowhere near enough exploitation of technology in our security controls. We rely far too much on policy and people, neither of which are reliable, especially when dealing with fast-changing, large scale infrastructures.
What’s needed to correct the balance? The answer lies in the use of ‘Big Data’ analysis engines, scalable Cloud services and artificial life intelligence. These technologies are available now but our usage of them is still in its infancy. Ten years ago I experimented with data mining and computational immunology. They worked but it was a major challenge to maintain a positive business case. Funding dried up as the gloss wore off the digital revolution.
It’s now time to get serious with technology and develop the automated solutions needed to meet today’s challenges. Policy and education measures might get you through an audit but they won’t stop an advanced persistent threat.