IT Security - Defense in Depth Protection using a Data-centric Model

Michael Bacon Excellent points, well made. But I'm not surprised that it's taking so long for people to understand and properly value this vital asset.

The theme of this (deliberately challenging) comment derives from my taking issue with referring to it as a "data-centric" model - albeit I accept the title as a handy one with "saleability" to management. In passing, I also decry the term "data loss" when "data leakage" is more accurate.

I maintain that data /per se/ has no more than its intrinsic value. A mass of figures could be a balance sheet or the output of instrumentation in a nuclear power station. The value lies in "information", and information is more than simply a collection of data. It requires structure and context for those data and it needs interpretation. And it's the "interpretation" requirement that means measuring the value of information is tricky. A case of: "One man's meat is another man's poisson *."

And that is where the problem has long lain ... in valuing information.

Information is an asset that more than one person can (and likely will) value differently (possibly radically). Information is an asset whose value can change at unpredictable times and to unpredictable extremes. Information is an asset that is intangible.

From a security perspective, we can think of three generic types of valuer, the "owner", the honest user, and the crook ("hacker"). These three will value the information differently according to their nature and intentions.

But which of the three values is correct? I would argue that each is correct to the valuer.

So which is the value that should be attributed to the information to determine the degree of protection afforded it - i.e. the cost of the security measures to protect it? The security manager wanting to increase their budget will tend towards the higher. The owner may well tend towards the lower. The user probably won't be asked ... but might be the one with the best perspective.

Even valuing information by the harm that might be caused by its loss or corruption is challenging. Few organisations can really address this effectively - even though the need may be embedded in legislation or regulation - as it too is subjective.

In my experience there is no singular valuation model other than a too-simplistic one. Each organisation needs to develop its own valuation criteria. One thing, though, is key, the establishment of information owners with the responsibility and accountability for valuing the information they own. This forces business decisions on the spend necessary to protect its CIA and the formulation of rules for "information custodians" (typically the IT department) to facilitate the proper protection of the data (yes, "data") that underpins the information.

Of course, "data" might mean "information" to another reader. This too can be a matter of interpretation :-) .

[Loosely extracted from a number of presentations given by the author on the subject of valuing data and information. The views and opinions expressed above are exclusively those of the author speaking in a private capacity.]

Mike Cuppett Michael,

I totally agree that data must be interpreted, and often combined with other data, to become actionable (valuable) information. Knowingly, I used the term “data” in the article because an organization’s security team must treat all data as potential information, protecting it’s prospective derived value, not it’s internally perceived value. We cannot predict who may steal the data or what value they could glean from the data, therefore, we have to protect the data, even in its rawest form.

Thanks!

Phil Dexter Mike, here's an interesting event in sync with your concern. It will be conducted on Thursday, November 5, 2009 from 11:00AM to 12:00 PM PST and will be focussing on Data Security, you can register for it at (http://budurl.com/liebsoftpco).Hope you get best out of it.

Robert Edwards You are only partially correct in the defense in depth analysis. Like most IT professional you are only looking at the center problem and failing to relate to the larger picture. your diagram needs to be expanded outwards like the Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) for Access Control.

This STIG shows in Figures 2-1 and Figure 2-2 the remaining interpretation of information Assurance Defense in Depth. fig. 2-1 shows a Bullseye concept from the physical security side of protecting data with the pictoral depiction found in 2-2. The outer most defense is the perimeter defenses depicting a fence around an installation or compound. The installation can be accessed by road, rail, air and water.
What resources neee to be employed here to protect information such as medical, fire, force ptotection, cameras, lighting, etc.. The next circle depicts the building defenses and the various access points available to an intruder: Front Entrance, Side Entrance, loading docks, underground parking, heating and air conditioning ducts, roof, elevators, windows and Stairwells. The next circle represents a floor or bay scenario with entry points as the roof, stairwells, elevators, windows or ducts. The next circle depicts a room with entry points as possibly the floor (raised), ceiling, doorways or ducts. All of these circles represent a different layer or security with their own unique security requirements that are often overlooked as they are an indirect cost to the current information systems. The inner circle represents your own depiction of the defense in depth without really identifying what it is we are supppose to be protecting.

Roy Clark once stated that he made alot of money and alot his money goes to the parties that he gives. The one thing that he does not wish to have happen is to have someone state that he should have been at the party last night. In so saying we have alot of controls (federal laws, presidential directives), and alot of these controls may apply to our systems, but the one thing we dont want to have happen is to have our management explaining to the CEO or congress as why we did not follow this particular process. Our answer, well the committee that selected our controls for us, advised us that we did not have to worry this control as they felt it was beyond our control to handle. Thus we have NIST, DOD and the Intelligence Community's standards of the SP 800-53, DODI 8500.2 and new IC 1253 control sets.

Early on DOD identified seven safeguards needed protect and information Systems: Administration, Communications, Computer, Personnel, Physical, Procedural and Emanations. Currently there are only five security safeguards found in every organization: Communications (COMSEC), Computer (COMPUSEC), Personnel (PERSEC), Physical (PHYSEC) and Operations Security (OPSEC). But what you will not find is the Subject Matter Areas (SMA) associated with each Safeguard. Why is that?

The Defense in Depth approach must first start with the outer most circle and work their way inward to the Informtion Technology System (ITS). Here you have the WAN, MAN, LAN, VPN, then the Systems, Servers, Databases, applications, Firewalls, IDS, Routers each one to be addressed individually and then combined with other components to form a more comprehensive risk analysis of the system in question.

Dont believe NIST SP 800-53 rev 2 footnote 7 or rev3 footnote 11 identifies an information systems comprised of components. Components being firewalls, servers, IDS, applications, Switches, databases, email, etc.

Questions.

Mike Cuppett Robert,

I agree that the model could be expanded outwardly to include building and other physical security aspects. However, my intention was not to include a fully developed model, but rather to be another voice expounding a shift in the focal point of security to the asset needing the most protection – data.

I still disagree with models that start at the perimeter and work inwardly. Each model, given enough time and money, will deliver a protective posture that meets external and internal governance requirements. However, hypothetically, if the environment was totally insecure, would you make your first investment in data protection, a fence or a firewall? I would choose data protection for its ability to thwart internal threats, such as employee errors and deliberate data destruction or theft, and in events where a physical or network breach occurs, the data is still not readable upon access.

We, whether meaning you and me or the different proponents of the various models, will probably never agree to a single, all-encompassing, best-practice model, however, our continued debate should improve every models weakest elements.

Thanks!