Dan Geer wrote an article for SC Magazine on The enterprise information protection paradigm, discussing the fundamental disconnect between the derived value of data and the investment to protect information. He asks the important question: If we reap ever increasing returns on information, where is the investment to protect the data? Dan has an eloquent take on a long-standing viewpoint in the security community that Enterprise Information Protection (EIP) is a custodial responsibility of corporations, as it is core to generation of revenue and thus the company’s value.
Dan’s point that we don’t pay enough attention (and spend enough money and time) on data security is inarguable – we lose a lot of data, and it costs. His argument that we should concentrate on (unification of) existing technologies (such as encryption, audit, NAC, and DLP), however, is flawed – we already have lots of this technology, so more of the same is not the answer.
Part of our problem is that in the real world, inherent security is only part of the answer. We also have external support, such as police who arrest bank robbers – it’s not entirely up to the bank to stop bank robbers. In the computer security world – for various reasons – legal enforcement is highly problematic and much less aggressive than for physical crimes like robbery.
I don’t have a problem with Dan’s reasoning on this issue. His argument for the motivation to secure information is sound. I do, however, take issue with a couple of the examples he uses to bridge his reasoning from one point to the next.
First, Dan states, “We have spent centuries learning about securing the physical world, plus a few years learning about securing the digital world. What we know to be common to both is this: That which cannot be tolerated must be prevented.” He puts that in very absolute terms, and I do not believe it is true in either the physical or electronic realms. For example, our society absolutely does not tolerate bank robberies. However, preventative measures are miniscule. The banks are open for business and pretty much anyone can walk in the door. Rather than prevent a robbery, we collect information from witnesses, security cameras, and other forensic information – to find, catch, and punish bank robbers. We hope that the threat of the penalty will deter most potential robbers, and sound police work will allow us to catch up with the remainder who are daring enough to commit these crimes.
While criminals are very good at extracting real value from virtual objects, law enforcement has done a crappy job at investigating, punishing, and (indirectly) deterring crimes in and around data theft. These two crucial factors are absent in electronic crimes in comparison to physical crimes. It’s not that we can’t – it’s that we don’t.
This is not to undermine Dan’s basic point – that enterprises which derive value from data are not protecting themselves sufficiently, and contributorily negligent. But stating that “The EIP mechanism – an unblinking eye focused on information – has to live where the data lives.” and “EIP unifies data leakage prevention (DLP), network access control (NAC), encryption policy and enforcement, audit and forensics,” argues that network and infrastructure security are the answer. As Gunnar Peterson has so astutely pointed out many times, while the majority of IT spending is in data management applications, our security spending is predominately in and around the network. That means the investments made today are to secure data at rest and data in motion, rather than data in use. Talking about EIP as an embodiment of NAC & DLP and encryption policy reinforces the same suspect security investment choices we have been making for some time. We know how to effectively secure data “at that point where data-at-rest becomes data-in-motion”. The problem is we suck ” … at the point of use where data is truly put at risk …” – that’s not network or infrastructure, but rather in applications.
A basic problem with data security is that we do not punish crimes at anywhere near the same rate as we do physical crimes. There is no (or almost no) deterrence, because examples of capturing and punishing crimes are missing. Further, investment in data security is typically misguided. I understand how this happens – protecting data in use is much harder than encrypting TCP/IP or disk drives – but where we invest is a critical part of the issue. I don’t want this to come across as disagreement with Dan’s underlying premise, but I do want to stress that we need to make more than one evolutionary shift.
Reader interactions
10 Replies to “Answering Dan Geer: It’s Time to Reexamine Priorities and Revisit Paradigms”
In the physical world, if you steal a car you cannot use its value if you do not have the identity of the owner. The problem in information world is that rule does not apply, since the owner identity is not bounded to the information and usage of its value.
Bank robberies and stealing of data will not cease, and the path to their decline is far only by meaning of protection and surveillance.
Raw data cannot have an owner, but valuable information’s – transactions of data, can have, by assigning, for example, digital signature to it.
In this manner, the motifs of hacking for information’s is loosing its sense, at least partially, if you cannot use it why steal it?
My point is that I believe that most of the hackers are doing this job because it’s easy to use the information’s and earn money. If this factor is covered, focus can be made on data exposure protection, disruptive attacks, DoS and so on.
Feel free to consider an article explaining EIP by the editor of a major IT publication fluff. It’s a legitimate, non pay-to-play article, which is more than I can say for what most analysts write. Yes, I am in PR so I suppose we are in direct competition for vendor dollars. That may explain your hostility.
@Betsy – Did you send the right link? Do you have some sort of professional affiliation with Verdasys? I don’t see how you can claim that this is “More validation of Geer’s paper” … and this looks like some brain dead PR move to promote a vendor. It’s fine if you want to post here, but we *require* that you disclose your professional affiliations. I also suggest the you bring a valid point of discussion to the conversation rather than link to a promotional vendor fluff as it reflects poorly on your client.
-Adrian
More validation of Geer’s paper on Enterprise Information Protection from Bob Evans at Information Week here:
http://www.informationweek.com/news/global-cio/security/showArticle.jhtml?articleID=223101636
Rob Lewis:
>>
Your attitude towards accidental data leakage seems quite lax, which is part of the problem. We are dying a slow death from thousands of tiny cuts.
<< Not sure how mentioning that accidents would not result in law enforcement action implies a lax attitude. I merely comment that by focusing on wishing for strong external forces like LE to be brought to bear, we focus on the small percentage of loss that is done with intent and by criminals. The vast majority of data are lost through accident or ignorance. We need to focus on the business process that leads to data loss if we want to really solve the problem. After all, this is a business problem, not a technical one at its essence.
I love the posts and the discussion. But I’ve got to firmly stand behind Dan’s comment of “That which cannot be tolerated must be prevented.” To the Bank example, they put enough preventative and deterring controls in place to make what’s left over tolerable. If it wasn’t they’d do something different (and they do every once in a while, don’t they?). There’s a difference between society saying bank robbery is intolerable and the amount a company may devote to stopping it. To support Dan’s point, companies and yes, even societies will devote just enough resources to a problem to make living with what’s left over, tolerable. There is a limit to the amount of investigatory effort police put into any crime just as there is a limit to the budget for security in companies. to re-word Dan’s statment, The budget to fix a problem finds an equilibrium with against the risk of not spending more (k, little sloppy but hopefully my point gets across).
The question that came to my mind was really how intolerable is the state of (in)security for any given company? If they aren’t spending the resources we may see as necessary, perhaps one of our perceptions are off. Either the folks running the business and looking at the books or us “in the trenches” and looking at breach reports across the industry. (my vote is leaning towards a mixture of both being off).
@Rob:
The bad news is that we have to somehow level the playing field. Dan Geer has suggested that we aren’t sharing enough information. Perhaps if we could crowdsource some of these issues.
This “army of one” CISO mentality/structure and reliance on certifications and regulations is a huge mistake. Our reliance on advertising dollars, payment card numbers, and social security numbers is causing huge losses and the trend will continue until we change.
Even little things like WiFi and RFID were so broken right out of the door… we just can’t accept failure like this. OEMs ship desktops, laptops, and servers filled with insecure third-party applications (including AV agents). The only application that I use that updates properly without fail is Mozilla Firefox.
Software is being built too quickly; doubling every 6 months. Bugs are regressing at an unacceptable rate of 1 out of 5 after we fix them. There are pointer, data handling, and time/state issues which even static analysis tools cannot find (most of them are fortunately denial-of-service related—but other “data execution” weaknesses such as CWEs 190, 374, 484, and 588 are still problematic for static analysis)
Adrian,
I don’t think Dan is incorrect with the statement of “which cannot be tolerated must be prevented.”. Your example, bank robberies, is in fact tolerated. They are robbed all the time and stay in the business (and with profits). That looks tolerated (even if not morally tolerated) to me.
Also, his key point, that we should concentrate on existing technologies, is not flawed. Saying that doesn’t mean “more of the same”, as you made it look like. I see that more as “do it right instead of looking for the next thing to do”. Don’t look for the next product to buy, but optimize the results from the current ones.
Great debate, anyway.
@ Adrian,
In a world with inherent security, there would be much less need for law enforcement involvement. As you say, none of the things that Dan Geer prescribes, more of the same, would provide inherent security. How much easier would security be if one were using networks comprised of inherently secure systems?
@Andre,
Don’t hold back, give us the bad news now.
@ds,
Your attitude towards accidental data leakage seems quite lax, which is part of the problem. We are dying a slow death from thousands of tiny cuts.
I would suspect that the vast majority of data loss is accidental, hence law enforcement isn’t really in play.