By Jon-Louis Heimerl on January 6, 2012
We have been thinking about information security for thousands of years. But as the world continues to evolve, Information Security must evolve to keep up with it.
Information security is a complex system, made up of hardware, software, and wetware. Hardware primarily includes the computer systems that we use to support our environments. Software includes all of the code, databases, and applications that we use to secure the data. Wetware includes policy, procedure, training, and other aspects that rely on people. Information Security is part science, part art, and to some I am sure it seems like part mysticism. But it is not new.
We have been thinking about information security for literally thousands of years. Yes, thousands of years ago we did not have computers, but we had other mechanisms. Back many moons ago, when mankind was just learning to walk upright, Cronk wanted to keep a secret so he hit Zonk on the head with a rock, and information security was born.
Eunuchs were assigned to protect harems because they were, well, eunuchs. In a similar fashion, many early messengers could not read to make it harder for them to copy the message they were delivering. Some had their tongues removed so that they could not speak of their message, just deliver it. Scrolls were sealed in wax or lead seals so that the recipient would know if the scroll or package were opened. If you read Dan Brown’s The DaVinci Code, or saw the movie, you may have seen the cryptex, a sealed tube with a combination that could expose an included parchment to acid if it were forced open, destroying the contents. Yes, they were real.
The world has evolved since Zonk and Cronk, as has, thankfully, information security. Regardless of the exact mechanism used, the goals have always been the same – protect the information. We like to think that we keep evolving. That is one of the secrets to a long lifespan of a species – the ability to evolve. The birth of the Internet brought huge changes in the way people consume data, and along with it a giant evolution in the world of information security. We had computers in the 1940s, but was there any such thing as a computer virus then?
But these are mostly Confidentiality issues. We cannot forget about the other two parts of the basic security triumvirate, Availability and Integrity. I once worked for a government agency which had an 11 second unplanned outage one Sunday morning. Two and a half years later it was still called “Black Sunday”. I also worked with a large retailer who determined that a prolonged outage of their web retail site could cost them $176,000 per minute in lost sales. I am sure the Southeast Asian villagers who were promised six tons of rice were more than slightly dismayed when the “r” was dropped during communication and the trucks pulled up with six tons of ice. And I am sure that when Greg got 2 mg of morphine instead of .2 mg that it really did matter. So, yes all of these things are important elements in the complex system that makes up Information Security.
Yet, the world continues to evolve. And Information Security must evolve to keep up with it.
For one thing, mobility changes everything. The world changed with mobile laptops, then again with smart phones, and again with tablet computers. Mobile devices offer a whole new set of challenges as organizations struggle to identify and manage the devices. The ultimate challenge is balancing the flexibility that the device offers while controlling the flow of information through the device. How do you enable the user to do what they need to do on the device, while protecting the interests of the organization?
In a similar manner, the rise of social media has caused a fundamental shift in the ways that people look at information. To a great extent, because of social media, more information becomes more available more rapidly. The ultimate challenge is balancing the benefits that can be gained by the rapid communications of social media with the flow of appropriate information through it. How do you enable the organization to make the best use of the enhanced communication capabilities of social media, while protecting the interests of the organization? Cloud Computing changed the way people supported their IT infrastructures. This brings with it a different way of looking at the security placed on that infrastructure.
Cloud Computing brings a shift in the thinking of security, since the goal is to support unique security constraints in a shared environment. To some extent, simplification of the security construct also simplifies the implementation of the cloud, potentially resulting in compromise of both goals. The ultimate challenge is balancing the flexibility that the cloud service offers while protecting information that is supported by the cloud. How do you enable the organization to make the best use of cloud services, while protecting the interests of the organization?
In a more fundamental manner, increased regulatory requirements have had a significant effect on the way people think about security and compliance. PCI was a game changer. Other regulations have followed suit, and affect certain aspects of specific industries in fundamental ways. If actually enforced, HIPAA and HITECH will reshape the healthcare industry, and security-relevant issues are a significant part of that. The financial community is faced with additional Sarbanes-Oxley, FFIEC, red-flag, and anti-money laundering regulations, among others. Breach notification laws have had a huge effect on organizations around the world, both in preparing and managing incidents, and in actually communicating breach details outside of the organization. The ultimate challenge is meeting the regulatory requirements in a meaningful, productive manner, while. How do you meet all your regulatory requirements while protecting the integrity of organizational operations and security?
Perhaps you detect a pattern in the basic question related to each of these challenges: How does an organization meet the challenge while meeting its own goals? The best answer I have is “information”. More than 2000 years ago, Sun Tzu talked about the importance of information when facing conflict. This information about your environment can be turned into intelligence about the state of your own security.
This intelligence about what we do is the single best thing we can do to control the evolution of security within our environment. As long as you understand what data you have in your environment, you can use intelligence about that data and the systems that support it. After understanding your data, the key pieces of intelligence are related to the logs that are generated by the systems that support that data, which are in turn supported by security specific devices within your environment. Actual, real-time log monitoring and management of servers, databases, applications, firewalls, intrusion detection systems, integrity monitoring systems, data loss prevention systems, load balancers, et al. The information generated by these systems can tell you what is happening in your environment, if you know how to accumulate and parse the information. But, don’t forget to add the additional intelligence that we have; where that information is coming from. You aren’t just getting a log event from a server; you are getting that event from REMO001, a PCI server, located in rack 3 in the Lincoln Park Data Center. You are not just getting events from a remote system; you are getting attempts to access proprietary client data over the VPN from Becky’s iPad while she is in Dallas.
We have all of this information – the next evolution in security is using all of this information in a consistently meaningful manner, and acting on it; turning that information into security intelligence. Use the intelligence about your mobile devices to enable appropriate access for the user, since you can match the device with geolocation, time zones, and system types. Use the intelligence about your data to help manage information flow into social media, since you know what your proprietary data looks like and you can monitor the use of that data. Use intelligence about your data and IT operations to manage its use, since you know what data you have in the cloud. Use the intelligence about your environment to demonstrate regulatory compliance, since you know how to profile your PCI environment. Use the intelligence to initiate a measured incident response, and prepare concise breach notification information, since you can more readily identify affected systems.
So, my answer for the next step in the evolution of security is not a paradigm shift, but just a natural step in evolution; making better use of information we already have, and turning that information into true security intelligence.
On the way we’ll just leave Cronk’s information security methods behind.