Following on from my previous article about Prism, we have since heard further revelations of the US National Security Agency's (NSA) interception and surveillance of data.
Prism is evidently the tip of a data privacy iceberg. International “cyber espionage” makes great press, but let’s get this straight from the outset: your data is at risk whether you are small, medium, large, a corporation, charity or nation. Moreover, your sensitive information is at risk.
So why look at intellectual property (IP)?
IP is your most sensitive data; that which you need to control completely. If compromised, it could affect the stability or the existence of a company or product, and as such represents the greatest prize to an attacker. National security has its equivalents – passport data, criminal databases, spy identities – information an aggressive foreign state could use against the home nation to cause disruption and discord.
Think about what you are protecting, and why. Catalogue your information assets, then use a risk management methodology to value those assets and assess the threats to them. Depending on your business, you can assume the biggest threat is from competitors, organised crime or foreign intelligence.
There is an obvious crossover with national security. My own work with KuppingerCole UK has taken me within government and finance at very high levels, allowing me to see these threats first hand. The concerns are demonstrably real.
IP is your most sensitive data. If compromised, it could affect the stability or the existence of a company or product, and as such represents the greatest prize to an attacker
Robert Newby, KuppingerCole UK
I worked, some time ago, with the finance department of an automotive company whose blueprints of its next (unannounced) vehicle were published online. This revealed a leak in the system that needed shoring up quickly. Its knee-jerk response had been to encrypt data, but what use is that if your attacker is on the inside of the company, with legitimate access? Encryption is only ever a physical control.
More recently, an online gambling company discovered that details of high-value clients were being emailed out of the organisation to their competitors. In this case, data leakage prevention (DLP) was deployed on all network channels to catch fingerprinted data leaving the organisation. Clever technology, but the legal implications of such widespread surveillance were far reaching, requiring huge efforts in policy writing, public declarations and interdepartmental co-operation.
Of course, once the criminals know they are being watched, they no longer tend to break the rules.
Defence in depth
Another misunderstood concept, layers of security devices do not create layers of security on their own. Access needs to be secured, monitored and logged. Applications need to be secured, monitored and logged. Networks, databases, email, storage, all of these are places where data is compromised, so how do we know where to protect? Where to spend our valuable security budget? Protection also requires policies and processes that take the context of information into account.
More on data protection
- Jericho Forum: Data Protection
- Protecting data: An IT guide
- Will proposed changes to European data protection law prove unworkable?
- Data breach protection requires new barriers
- Data Protection Masterclass: New EU Data Protection Regulation
Many programmes do not capitalise on existing controls – current security strategies will be based on network security, preventing data being widely available. Some may even include a strong access management element, ensuring good integrity and some confidentiality.
Look at the blueprint example again. On top of existing network controls, the vehicle blueprints could have been kept inside a cage, physically secured in storage, watermarked, encrypted, tagged as “top secret” or equivalent, and protected by access management and two-factor authentication. Placing data into read-only storage where it cannot be changed gives guaranteed integrity. Watermarked information can reveal its origins. A well monitored access management system would also have reported on the identity used to access the blueprint. Just the knowledge that these systems exist can act as enough of a deterrent to keep disgruntled employees at bay. The other physical and logical controls are enough to deal with the remainder.
All of this is simple to write, but the policies and processes around this level of protection are complex and involved – consult a professional and do not avoid difficult questions.
Robert Newby is an analyst and managing partner at KuppingerCole UK.