Forget what you know about information security – it isn’t working
11 May 2015 | 0
“Forget what you know about information security – it isn’t working,” said Jason Hart, vice president, cloud solutions, Gemalto, at the ISC2 conference in Dublin.
Hart illustrated this stark point by describing how in the recent past, when much more data was kept in hard copy than is currently the case, information security was not only greater, but easier. Even in tape era, Hart argued, controls were better and safeguards easier to implement. This has led, he argued, to some skewed thinking in relation to information security in the era of disruptive technologies such as cloud, mobile and big data, and many common security controls having been dispensed with.
A key point of information security, Hart asserted, is to identify the data ‘crown jewels’ for each part of the business, and the current mechanisms for handling that data. It is equally important, he said, to know if there are any third party or cloud supported services in use that can access that data.
He says that protection in the new environment requires going back to the basics of the old approach, but adapting for modern needs. To the old, though now perhaps out of favour, mnemonic of confidentiality, integrity and availability (CIA), he said must be added accountability and auditability. This would facilitate the actions required for a change in thinking — the move from breach prevention to acceptance and remediation.
Hart argued that the better approach is not exclusively focused on prevention but to be in a better positon to handle a breach, and a key part of that is the ability to render the data prize useless in the wrong hands. The only way to do this currently, Hart argues, is appropriate encryption.
He said that data at rest requires different encryption methods than for data in motion, with the appropriate storage and use of encryption keys and access controls to ensure that both keys and data access are tightly controlled.
To illustrate just how lacking such controls are, Hart demonstrated a number of Google search methods that revealed everything from secure FTP passwords to encryption keys.
Information security is, and always will be, a business enabler, argued Brendan Byrne, partner, Bridewell Consulting. Tackling the issue of big data, and asking whether it be friend or foe, Byrne stated that big data is no different to any other data insofar as it has value and it has rules to govern its use, but it needs regulation.
Byrne said that organisations still need to get the basics of data management and security right. He said that a security culture must be embedded in the organisation, not a veneer upon it. Awareness and training are a key part of this, he argued, to ensure that personnel feel a part of the security culture, not hampered by it.
Security must be implemented by design too, not tacked on afterward, or left till late in any process. This was a point that was explored in depth by Fabio Cerullo, CEO and founder of Cycubix (CISP, CSSLP). Cerullo described how in the rapid development cycles that characterise industries such as mobile apps, there is a greater need than ever for security to be design into apps from the outset.
Cerullo said that both the applications and the development thereof can be accelerated without security losing out.
Applications need to be developed securely, as opposed to undergoing penetration testing afterwards. By baking in security and secure operation early in the process, it improves overall security and precludes many of the problems that might later emerge, he said.
This requires that developers be empowered through continuous training in secure development. Secure design practices must also be implemented to prevent the introduction of vulnerabilities. This can be achieved, said Cerullo, through the use of automated tools in vulnerability detection and resolution.
Applications with built-in security translate into less bugs, which means less re-work, facilitating the faster cycles that are increasingly in demand, he said.
Risk management in relation to information security is still in a fluid state for many, according to Michael Baume, associate director, Risk Management International. Threats are increasing but governments and regulators are nervous, he said, all resulting in businesses being unsure.
Baume said that risk professionalism is lacking but solutions are being sought. However, people need to think differently about risk, he argued, in an environment where business models are being built on a global paradigm, with massive change at a pace unseen previously.
Baume outlined five stages of risk maturity. The basic level is informally structured and dependent on local imperatives and initiatives. The awareness level is where there is board awareness, with the introduction of formal processes. The insight level sees risk being professionalised, with a risk appetite framework and data governance commencing. The managed level features integration of risk and strategy into one office with authority derived from the board and CEO. The final stage is value driven, where optimised maturity can positively influence cost of capital, ratings and insurance.
Unfortunately, said Baume, many organisations, even large PLCs, struggle to advance beyond the second stage.
Baume said that management of risk will continue to grow in importance for enterprise, particularly in relation to information security. Risks must be identified explicitly and the process future focused. But the ultimate goal, Baume said was resilience.