It's only a breach when information leaves our control, typically this means the network where the information is at rest, but is can also mean a mistake has been made and an excel spreadsheet with thousands of incidences of PII (Personally Identifiable Information) has been sent to someone outside the Company.
How curious that the data access control models for information security, rooted in the loins of pre-Internet mainframe exposures, continue to drive the shape of control models as they do not actually manage the risk at hand - egress! Regulators and CPA firms alike tow the line for the access control model, while the actual exposure - data leaving our network without our consent - goes typically unchecked. No wonder that with all the certifications, all the software, all the auditors, all the regulations, data breaches continue - we are all looking in the wrong direction!
Lets look a little bit at this crazy, insulting assertion.
One of the first questions I ask a Victim of a breach is "What software did you have monitoring data egress on ports 80 (http) and 443 (https)?" No - but we check active users against active employees monthly, have an annual Internet vulnerability test performed, keep our Anti-Virus definitions up to date and pushed each night to all workstations, have our Intrusion Prevention - Detection Systems tuned up and watching, and have independent Application level security that requires a log on to get to the data.
OK, but what happens when a Zero Day Bot net lands on your network and by definition a zero day is not yet detected by the AV device, and the bot net finds and starts to transmit credit card numbers, associated names and birth dates, not to mention addresses and cellular phone numbers. What finds the outbound transmission at the gateways?
There response is either silence (Crickets) or our old enemy - rationalization!
The error in data flow is represented in the "Onion" - layered security model below.
 |
Access Control Model In use as of 2013 - Based on Circa 1980 Exposures |
What do we do? We start by recognizing that we must clearly communicate the actual risk to our business lies not limiting access to data ( while this will work if everything works perfectly) but in preventing unauthorized data egress.
