Data Security – A Game of Shadows

This November 2nd will mark the 25th anniversary of something momentous. November 2nd 1988, the first ever worm hit the internet, the Morris worm. Launched by a student of Cornell University as an experiment, not only did it end up bringing down many systems connected to that early version of the internet, but was also a true marker of the transition of the internet to an ‘insecure open network’.

Twenty five years later, as IBM leverages the power of the cloud to offer DoS protection, and some of the biggest brands including Apple, Google, and Adobe suffer from a wave of sophisticated internet attacks, it is tempting to look back at that moment and consider it a ‘Pandora’s Box’ event. The box was always meant to open, it was just the trigger event that set things in motion.

As individuals who have witnessed the breathless rush of technology changing the face of the internet every few years, its been a very long journey from bulletin board systems and telnet and usenet to AWS and Google Authenticator 2-factor authentication and private clouds hosted in datacenters. From hacked database servers on the public internet with default passwords and no IP restrictions to sophisticated sweeps of an organization’s networks, attacks that take weeks, months, or even years to execute.

Truly, data security for the business of 2013 is a game of shadows!

That reminds us of this quote from a favourite movie we rewatched recently (Sherlock Holmes: A Game of Shadows 2011) -

Sherlock Holmes: [v.o] His advantage, my injury. My advantage, his rage. Incoming assault feral, but experienced. Use his momentum to counter.

[as Holmes hits Moriarty in the face, everything stops and the audience watches Moriarty’s face]

Professor Moriarty: [v.o] Come now, you really think you’re the only one who can play this game?

[Back to the analyzed fight]

Professor Moriarty: Trap arm, target weakness. Follow with haymaker.

Sherlock Holmes: Ah, there we find the boxing champion of Cambridge.

[Holmes throws a hook at Moriarty’s face]

Professor Moriarty: Competent, but predictable. Now, allow me to reply.

[Moriarty throws several punches at Holmes’ shoulder]

Sherlock Holmes: Arsenal running dry. Adjust strategy.

[Holmes tries to kick Moriarty but fails]

Professor Moriarty: Wound taking its toll.

Sherlock Holmes: As I feared. Injury makes defense untenable. Prognosis, increasingly negative.“

The Inside Threat

While Holmes was able to discover his opponent, the business of today does not have that luxury. As Steve Pate writes in ComputerWorld (read here):

“Depending on which research you read, insiders are responsible for anywhere from 14% of data breaches (as published in the Verizon 2013 Data Breach Investigations Report), to over 36%, as Forrester Research has published. Both of these reports make the important distinction between malicious insiders, who seek access for profit or revenge, and the employees who simply make mistakes — leaving data exposed or vulnerable. Frankly, from a compliance or breach notification standpoint, these nuances don’t matter. If sensitive or regulated data gets out, you’ve got problems.”

How do businesses today handle a situation where they are engaged in a game of shadows with multiple opponents that they cannot possibly identify? And whats worse, how do they handle the fact that some of these opponents lie within the organization?

Simplify, Empower and strike the balance between Consistency and Adaptation

First, simplify.

Look for the simplest solutions that help organize and secure your networks, resources, and employees. For instance, when doing network security, look for solutions that work with networks, not with resources / servers. When securing data-at-rest, that’s the time to be able to work with servers – physical or virtual – and the resources that they host. Look for solutions that do one thing with simplicity, elegance, and transparency. Your overall architecture will be a lego-structure of solutions which address different requirements without huge overlaps. The ability to use abstract thought to plan your security arrangements is invaluable here – a practical approach will save you time and money until the first breach costs you a huge packet and makes you go back to the drawing board!

Second, empower.

It’s so easy for us to forget that employees are human beings, not mechanical objects. Because an organization has so many areas where they cannot control their employee actions, employees will always end up with power. To recognize this reality and pro-actively empower employees in a sensible manner gives businesses a better chance of ensuring they aren’t cracked wide open by the maverick actions of their employees. For instance, some organizations fear and bar BYOD – this does not mean that BYOD does not happen on their premises. A little planning allows IT to select BYOD mechanisms that are sensible and yet limit the risk involved.

Third, strike the balance.

Organizations – especially in the enterprise segment – tend to be large and have many disparate departments, sections, units… A uniform data security policy or IT policy across all segments is much harder to achieve. This is precisely why regulations for compliance (like PCI-DSS) are so carefully written, and allow for different forms of implementation, because such regulation itself is to be imposed on industries with companies of all shapes and sizes. We would suggest that businesses create uniform policies, but focus more on the requirements (what is to be achieved) than the instructions (how it is to be achieved). For instance, we hear of large corporates with ‘renegade’ teams hosting on AWS without consulting their superiors, just because IT responds so slowly to individual requests. Far better to legalise these deployments but put pressure on departments to ensure that such deployments conform to the mandated requirements, even if they don’t follow the instructions of “Use only our private cloud!”.

Understand Security in Cloud + DataCenter better

You can read more of our articles (link to blog) or better still, contact us today! Email us at info@ciphergraph.com – we have what it takes to help you make sense of this treacherous game of shadows.