I don’t have to tell you that there’s a sea change underway in how society uses information. But there is something not immediately obvious about this change: How society’s dependencies are migrating from the real (analog) world to the network-connected digital world.
Once we had to walk down the hall and into a room to meet with co-workers. Today the Internet is mission-critical to our ability to work with colleagues around the globe. This shift in how we create, move, and consume information poses several challenges for IT security professionals today and in years to come.
The first is helping organizations understand and respond to the increasing value of their information. This need entered the public consciousness through the WikiLeaks controversy. The WikiLeaks website is just the first of many such sites we’ll see in the coming year. And it’s not just a concern for governments.
Big businesses are about to get a hard lesson about the real value of their information — data that, used wrongly or mishandled, can cause significant or even catastrophic damage. Data that once appeared innocuous or inaccessible is becoming more valuable, and potentially more damaging, by the day.
Public and private organizations alike must adopt a contemporary understanding of the value of their information, and the trust they place in the people who use it.
Despite advances in security technology, the sad fact is that IT probably had better control over sensitive information 20 years ago. The reasons? Information was centralized. There was less information to manage. The client technology required to access it was slow. And the clients were incapable of massive mobile storage.
There’s also another reason that should really concern us a lot. Back then – 20 years ago – the internet was just beginning. It was designed by scientists and technologists for scientists and technologists. Ordinary folk were tolerated and had to learn a language that ostracized whole swathes of society. No more. Web 2, Social media, mobile internet – call it what you will – is now using a transparent technology platform and it is being designed by Users for Users. Those users are not versed in Security. Why should they be? It’s a whole new behaviour they are having to learn the hard way, as are their employers.
Our employees now have petabytes of corporate information available to them, search engines that help them quickly find what they’re looking for, high-speed Internet connections to the outside world, and easily hidden storage devices that can walk terabytes of information right out the front door, in plain sight. They can connect wherever they like. They can work wherever they like. And they can steal valuable information wherever and whenever they like.
No longer can we automatically trust employees to handle information with confidentiality and integrity. The protection of information will need to be policed internally, and brought into a clearer legal framework. From a security point of view, this will mean much stronger confidentiality clauses in personnel contracts and better monitoring of data flows into and out of an organisation.
Strongly authenticated employees will need access permissions. Information (including e-mail!) will need to be encrypted. Device use will have to be monitored – including desktops, laptops, smartphones, tablets; anything that taps the organization’s data. Firewalls will have to get smarter to monitor all information to ensure sophisticated techniques, such as steganography, are not being used.
There are some who will say these approaches amount to an invasion of privacy. They do not. The need is for organizations to monitor their proprietary information, not their people. By understanding their organization’s normal information usage patterns, they will be able to identify anomalies in usage. These anomalies will serve as a red flag for quick investigation.
Governments and businesses now in Wikileaks’ clutches might have avoided their fate had they monitored, understood, and acted on their organizations’ information patterns. Sudden, large data transfers to unauthorized persons would have been flagged. With the right processes and policies in place, it is possible the leaks could have been plugged.
For more on this topic watch for my next post: “The Seismic Shift in Security: Part 2 – Information Push, Information Pull.”