PGP CEO Blog

Chapter 3: New Enemy, New Strategies, and a Few Old Weapons

If you’ve been following my blogs for the last couple of weeks, you know that we have entered a new phase in the war against hackers and cybercriminals. Moving forward, the bulk of data breaches perpetrated against private and public enterprises will be driven by large well-organized criminal syndicates based primarily in Eastern Europe and Asia.

The new battle will be somewhat more symmetric in nature than the battles of the last 15 years, but no less dangerous. In fact, when future exploits succeed we’ll likely see much larger financial losses than is now common.

The multinational criminal syndicates bring much more resources, focus and discipline to this battle than the small bands of criminal hackers we’ve faced historically. This new breed of cybercrook is now and will continue to perpetrate fraud on an unprecedented scale. I believe what this means is that we’re going to need to completely rethink the battle strategy.

The Jericho Forum’s prediction about the demise of the data “perimeter” has proven to be remarkably accurate. With critical sensitive data now residing on nearly every laptop and smart phone in use in corporate environments, new approaches that accommodate the free AND secure flow of this information are required.

I now also believe that the concept of “extending the perimeter” is a fundamentally flawed concept in that it assumes there IS an identifiable perimeter to defend. In fact, confidential data now resides on so many devices carried by mobile employees and the providers of “cloud based” data services that I’m not sure just how you’d know if you had a successful perimeter defense in place.

Just because you’ve locked down every single device and communications link inside an enterprise doesn’t mean you don’t have your entire employee, customer, or partner database sitting on a service provider’s database behind a firewall with out of date firmware and attack signatures. It also doesn’t mean that the data on those devices even when they are behind the purported perimeter aren’t being breached by insiders with a financial incentive to release that information to the syndicates that can monetize it within hours.

Given the number of places confidential information must reside, the startling vulnerability of the devices on which it resides, and the increasing sophistication of the miscreants that wish to steal that information, the time has come to develop new security models that leverage these trends rather than attempt to impede them. At PGP Corporation we’re working on a few of these new approaches based on the dramatically changing threat models we’re now seeing.

These new approaches fall broadly into two categories; data centered defense and collaborative offense based on new types of public/private partnerships. Today we’ll deal with the first of these. At PGP Corporation we’ve been telling our customers that you have to focus on “defending the data” in order to have a comprehensive data security strategy. Until recently we’ve always structured this argument in terms of data encryption in addition to all of the device security required to protect confidential information. In the last six months, however, we’ve come to believe that we need to turn the analysis on its head and start with the data itself.

There’s been much written about “data lifecycle” and I don’t want to review that concept here in any depth, but I do want to point out that without a thorough understanding of the threat models to which any piece of data is subject at every step from creation to archive, it is practically impossible to design or implement an effective information security strategy. Just a small number of the questions that must be answered about something as simple as a quarterly sales reports sheds light on why this kind of “inside-out” analysis of data is the more effective approach to designing new generation security systems.

A few of my favorite questions are:

• What roles (not who, but what roles) must create, report, alter, or consume the data? You can worry about who later, but this first step requires really honest assessment of role based security and its place in your defense strategy.
• How long is the data considered current?
• Where will it be stored, on how many devices, and what are the three most common threats each of those devices face?
• How will the data be destroyed and how will we know?

This is obviously not a comprehensive list, but I can assure you that if you answer these questions candidly and completely, you will have a running start on identifying the security issues that actually affect your ability to protect the confidential information in your enterprise.

It may seem radical to some, but if the creators of malware are focused on the data, then the data loss prevention design process must as well. My belief is that if you perform this exercise for even one piece of mission critical data, you’ll find that security strategies that simply layer atop existing IT infrastructure are incapable of providing anything like a comprehensive security solution. To achieve that, new strategies, smarter policies and tools that travel with the data are required.

Not only must the defense system travel with the data (a little like body guards) they must adjust to account for the location and state of the information. Thus, a security system that protects a photo of a white board taken by a smart phone might use one set of policies and tools to protect the data on the phone and a completely different set of policies and tools when that photo is in transit to a corporate data center and a third set when it lands in shared storage. The key to this kind of data centric security is ensuring that all of these policies are all developed and managed centrally (for control) while they are deployed in a completely decentralized manner that allow the information to flow fast and wide in support of the enterprise’s core business functions.

It is through this data centric approach to protecting confidential information that enterprises will be able to achieve the perspective that will lead to sustainable competitive advantage relative to the “bad guys”. Protecting confidential information is no longer about devices, perimeters, or fixed defenses…it’s about the data.

- Phil