Managing security from a data-centric point of view is like herding cats. Rambunctious cats. Cats that want to be free. Cats that spontaneously multiply. Like tribbles.
I was thinking today about how interesting something like a centralized Office suite (such as Google Apps) when it comes to making sure people are not distributing your data wantonly. For instance, how often have you seen the sales exec who has access to sensitive information in a file share forward on a copy of that document to his reports via email. Reports who shouldn’t be seeing that stuff?
This brings me to thinking about data security a bit more. Often I see people talk about the two obvious pieces: Data At Rest and Data In Motion. These are pretty obvious. Data At Rest deals much with access permissions and encryption. Data In Motion deals with encryption of the channel over which data is transmitted.
But there is more. What about Data In Use? Can your users print, copy, move, and otherwise twiddle the data they have access to? No amount of the first two pieces will stop that sales exec from making his mistake. Can they open a doc and recite the numbers to someone over the phone or take photos of it? Yes, tough if not impossible to fully stop, but a concern nonetheless? (Yes, it is arguable whether we should spend time thinking about the unfixable…)
You know, the corporate world was once a terminal environment with centralized computing. We’ve moved on from that, but so far lots of our issues can be solved with tightening back into centralized computing. We don’t like to think that way, but it’s true.
The two caveats in centralized computing? The mobility trend. The fact that users are also consumers and are used to having “the power” on their computer systems at home.
“But there is more. What about Data In Use? Can your users print, copy, move, and otherwise twiddle the data they have access to? No amount of the first two pieces will stop that sales exec from making his mistake. ”
no amount of anything will stop someone with view rights from being able to copy what they can view in some sense of the word (where printing is just copying onto paper, for example)… i don’t think even centralized computing has an effect here…
Interesting you bring up the point on “data in use.” Talking about data classification last week, the very issue was brought up. One of the solutions several of our security teams are looking into is DRM — especially our media broadcast security team. It’s funny how DRM can be viewed as a failure from one side (the music business) and how DRM will solve problems from another (motion picture/tv).
The Data in Use concept applies not just to users, but also to applications. An example…
A properly encrypted database will cover personal information during Data At Rest. For an application to use the data — your name and credit card # — it must be decrypted and it therefore subject to attack. While TJX is top of mind for fixing Data At Rest and forgetting about Data In Use vulnerability, it happens all too often.
Application misuse of data is a very fixable problem.
Totally love this – I am giving a talk about risks to data in about 40 minutes and I am adding this in 🙂
LV,
One thing my instructor in Taekwondo has taught me is that when sparring in competition, your opponent is at his most vulnerable when attacking. Basically, you wait for his move, then you use it against him. I liken data in use to an attack in Taekwondo. Data in use is when the data is most vulnerable. The opponent has to attack at some point if he is going to win the fight. Just the same, we have to allow the data to be used or it is useless.
Yes, I think it is a concern. But like you said, there is really no way to fully stop that data from being pilfered if the person who has access to it decides to use less technical means of theft. Technology can only carry us so far. Policies have to be the means to which we can prosecute if a less-than-ethical exec or other user. It doesn’t stop it from happening, and it can cripple the company if it is very valuable data, but hopefully the company has good procedures for weeding out bad potential employees.
You have entered the realm of trusted/multilevel computing.
We have a technology that prevents users are NOT able to print, copy, move, and otherwise twiddle the data they have access to in an unauthorized fashion. That includes destroying data as well.
” Can they open a doc and recite the numbers to someone over the phone or take photos of it?”
How critical is the data? If it is a mission critical trade secret, it would be possible to allow it to only be viewed on a specific work station, in the presence of security officers or cameras. That would prevent screen scraping (photos) and users could be searched or monitored for phones/cameras/ recording devices. Is this overkill? Would the loss of a critical trade secret cripple the company or not?
Utility of data is an important part of data security (anyone remember the Parkerian Hexad?) however what you’ve done here is mix up technical and physical controls.
The reason everyone goes on about data at rest and data in motion is because this is the only place we can apply technical controls, or IT Security.
As soon as the data is at an end point, you get leakage which you can’t control by technical controls. Printing, shoulder surfing, photographing, memorising and repeating even.
What you need is better physical security, not more technical controls. If you know you have data x which is going to be such a problem as to cause you major financial loss when it is made widely available, you make it less accessible, and only accessible at a point where printing is not possible, reading over the shoulder is not possible, and otherwise twiddling is positively frowned upon.
This still relies on technical controls, it just means having better data classification and being a bit sharper about what data you’re dealing with.
This was a great article, I didn’t understand all of it but it opened my eyes to the meaning of protecting all of the company’s private data. My computers from this day on will have the highest protection available.The first leak represents a total breakdown of company security and must be repaired instantly or risk company development secrets broadcast to all the competitors.
Thanks for a great article.
Don Hastings