At a recent security conference (as many mentioned, presentations are not even half the value of such events!), I had this eye-opening chat with a guy who manages security at a large "natural resource extraction" company (to avoid specifics ...). The conversation moved towards "data security" vs "IT infrastructure security," which I always thought to be a somewhat artificial distinction (they are kinda the same since the sole purpose of IT infrastructure is to process and move data around). However, for this guy the difference was very real; in fact, he said: "I'd rather have all my critical systems fell to a worm than have the details of my mining process stolen and possibly disclosed! We will go out of business the next year." I argued that surely his company has more assets and "crown jewels" than that, but he explained that there are key pieces that, if purposefully stolen, will cause the worst case scenario to manifest ...
This doesn't sound like a super-deep insight, but it is! Days of people shaking in their boots while thinking of the next ILOVERYOU and Slammer are over. Even though anti-malware defenses aren't perfect and worms are not truly dead (although less relevant), it seems that the threat can be considered manageable rather than overwhelming. Notice that "manageable" is not the same as "gone" or "non-existent."
However, data theft is very real, and that is what makes security managers of today shake in their boots (and those who don't - MUST! :-)): having your very key data stolen, sold, possibly disclosed and you - the guardian of such data! - not even knowing how and by whom. We can blab about how hard data classification and sensitive information discovery are, but just do this simple exercise (and consult with your peers, if unsure): theft of which piece of data will make your company go away?! Afterwards, go to the system where such data resides and make pretty darn certain that you log every tiny "fart" :-) that such system and all of its components produce ... You'd be glad you did - your employer's future and thus your job may depend on it!
Possibly related posts:
4 comments:
I think the issue is that many people that drive "information security" discussions are coming from institutions who's assets are represented largely in one's and zero's (i.e. financial institutions). Protecting the data assets of a transport company or a bio-tech company require very different approaches and are not normally covered in today's security conferences.
True, but the point is quite the opposite; I was shocked to learn that their KEY assets ARE indeed 0s and 1s...
@yoshi;
Information-or data-centric security is the same no matter what the industry.
What is not realized by many security practitioners is that allowing access to data is not the same thing as blocking unauthorized access to the network. Only when that distinction is understood, will it be easier to set up proper business data flows and data access privileges that will resist both malware or thief pilfering efforts.
Very true! It is still pretty amazing that even "offline" companies have SOOOO much valuable stuff in the form of bits and bytes :-)
Post a Comment