Richard Bejtlich at his TaoSecurity Blog makes a very strong assertion that we’re all idiots for wanting to protect data, rather than the container.
I’m not going to play a semantic game about protecting data versus the thing the data is in at the moment, but honestly, I think he misses a really strong point as to why we’ve moving away from the failed network-centric strong border / soft center protection racket to a more secure data-centric protection scheme.
I will not disagree with Richard that we secure the containers, not the data, but we secure the containers BECAUSE of the data, not the other way around. For far too long, we’ve thought about the enemy outside the gates, when its actually the folks inside that cause many breaches.
The weakest link in any protection scheme is the humans.
- They have weak passwords
- They (rightfully) share information about themeselves to their friends and (not so rightfully) to the Internet at large, making password resets untenable.
- Folks accidentally disclose data assets all the time. Laptops, backup tapes, USB sticks, brief cases containing the data.
Should we care if I lose my phone? It contains my address book, which I can sync again to the next phone, and little else. But to a CEO with e-mails, internal VPN access, browse history, contacts, calendars and more. What differentiates my container (my iPhone) from the CEO of Apple’s container (Steve Jobs’ iPhone)? In a Richard world, nothing – they should be protected equally. But it’s really about the data the container holds and what data the container has access to.
Data in and of itself is intangible, and generally cannot be secured if it wants to get out (see WikiLeaks for an incontrovertible example). I think Richard and I agree with this bit. Where I stray from Richard is to ignore the data is to miss the point of information security entirely, which is why I take umbrage at his ad hominem attack.
- If you have backups, you’re changing the data’s container, but you’re protecting the asset (the data) and not the container by doing backups. We’re planning for a complete loss of the container.
- If you have a DR site, protecting the container is secondary to protecting the data
- If you have a distributed cloud, protecting the container is nigh on impossible as you don’t control them.
- If you’ve printed previously encrypted data, the container and its protection controls have changed. The need for protection hasn’t changed, just how those controls work.
Lastly, it comes down to classification. If we ignored the data, we would protect the most expensive containers, rather than the business critical data.
- The CEO’s high-end home desktop would get more protection than a USB stick containing next quarter’s results. I bet I know which the company would fret about more.
- The WAF would get more protection and monitoring than the HR server as the WAF costs 10x as much as any one commodity server
- The SAP system would probably gain some attention as it would consume a chunk of change from the IT budget, but would you put it in a data center or in a closet?
We’re not idiots for promoting protection of the data. The containers and pipes BECOME valuable and we protect them because of the data sitting in or passing through that containers and pipes. We only protect those tangible assets because we pay enough attention to the data’s classification and its various requirements for the data’s protection.
Really, we don’t need to call each other names to try and bring us back to the failed border centric fold. We can disagree with each other as gentlefolks and not call each other names. I’m amazed that Richard has gone down the attack path as I normally agree with 99% of all his blog posts.
3 thoughts on ““Protect the Data” Idiot! Redux”
As the old saying goes, “Defense in depth…”. We should focus on protecting both. Data, first and foremost, and then the container, et al…
Well I don’t really see a fight here except for in terms and sentences. We all know that security has a price, whether its for a container or some piece of data, So both the container and the actual data need protection, reasons obvious, and that’s what I think is going around these days over the wire and on the air.
I don’t see any ad hominen attacks here, so I’m not 100% sure what you are on about from that POV.
I also like the generic container concept as well, so will use that in this comment.
What I’ve read in these two blog posts — moreso Richard’s than yours (and bear in mind I’m coming at this via an IT Service Management prism, not InfoSec) — is a disregard for why we are protecting the data in the first place.
If I understand the arguments correctly, both sides of the equation are calling for a one-approach-fits-all strategy, and even one-size-fits-all tactics, which ignores to a large part both costs and business drivers (Andrew, you did touch on this in your antepenultimate paragraph). The first bullet point in there, what is stored on the CEO’s high-end laptop? You’re not calling out explicitly in this example what data is stored in this container, so how can I make a like-for-like comparison? Sure, some *assumptions* have probably been made about what is stored on there, but have they been tested (leaving aside the delicacies of auditing the CEO’s laptop 🙂 )?
Categorization of data is important, sure, but not just for the reasons you’ve mentioned, also driving policies on appropriate container selection. Look at the discussion starting to ramp up now about utilities running SCADA systems on the internet, for example. Additionally, one of my clients has got three levels of data classification, and clear policies on appropriate container selection (and I include crypto schemes as being a container here) with a whopping great stick of breaking that policy.
Where Richard’s argument falls down, is that a data set (and possibly some of the data itself) can exist in an abstract sense before being placed in a container. If data cannot exist until it is in a container, and assuming you have a policy like my client above, there is no way, a priori, to select the appropriate container for that data. So a person needs to have at least an idea of the type (and level) of the data before performing an activity with that data.
I agree totally that humans are the weakest link, and from that perspective, data protection or container protection doesn’t matter a jot — it’ll be circumvented. It also does not matter whether the circumvention was malicious or incompetent; people are still the weakest link.