Maksim Kabakou - Fotolia
Security Think Tank: Put information at the heart of security
The belief that effective perimeter security is the best way to protect data is a fallacy that is being repeatedly exposed. We must recognise the need for a data-centric security model to protect data from both internal and external threats, but what does this mean for security professionals?
For the enterprise, security is focused on protecting the organisation. This includes physical security – of premises, individuals, and spoken conversations, for example – and digital security.
Cyber security is the broadly recognised term for digital security – the practice of protecting digital systems, data, and devices from security incidents and breaches.
The evolution of security capabilities in the enterprise has seen some organisations focus on protecting the “perimeter” and expecting that everything in the perimeter will also be protected – the familiar castle-and-drawbridge analogy.
However, this is not always the case and (often driven by compliance) there is increasing focus on protecting the organisation’s data, irrespective of location.
The origins of information security go back to Roman times – a seal on a message to show that it has not been read by prying eyes, a code to decipher information shared between selected groups of people. Today, organisations and individuals continue to protect information – for example, using obfuscation (a privacy screen on a laptop) or security questions to access bank details.
Many organisations now have an information security function. This group is responsible for developing, implementing, and managing the information security policies of the organisation, via people, process, and technology-based security controls. The information security function works alongside the security operations centre (SOC) to protect the organisation’s data, irrespective of format and location.
Data protection focuses on ensuring the confidentiality, integrity, and availability of information. Confidentiality is about protecting information from unauthorised disclosure. Integrity focuses on maintaining the accuracy, completeness, and trustworthiness of information throughout the information lifecycle (create, process, store, transmit, destroy).
Availability ensures that information is available when it is needed by authorised individuals and systems. Although protecting the confidentiality of information is crucial, integrity and availability have equal weight in this triumvirate and must be fully included in an organisation’s approach to information security.
If organisations focus cyber security efforts just on digital systems and devices, without giving sufficient attention to information, then there is the chance that taking their eyes off the ball here could inadvertently expose data. This could be accidental exposure or lack of protection, and could make it all too easy for a malicious attacker to find and exploit the information. The result is the same – a security incident or breach that puts the enterprise at risk.
The move toward risk-based security is gathering momentum, and enterprises are increasingly focusing security efforts where they are needed most. This applies to information risk too. Organisations with an information security function put the protection of information at the core of their security strategy.
Undertaking information risk assessments can help understand where the main risks to information lie as well as unearth risks that may the organisation is unaware of. A decision can then be made on how to address the identified risks – one of mitigate with security controls, transfer the risk, or accept it.
The benefits of deploying a risk-based approach to addressing security are that scarce resources – people and money – can be used where they are most needed. The most important risks take priority and are therefore addressed first, making it clear to resource-strapped teams where they should be focusing their efforts.
The knock-on effect is that enterprise information will be better protected against security incidents and breaches – the objective for every organisation that takes security seriously.
Putting information at the heart of security will have the natural knock-on effect of extending protection to systems and devices. This changes the focus from securing the “perimeter” and instead protects information wherever it is located and whatever format it is in – essential for all organisations as their perimeter continues to dissolve.