More than 25 years ago, James Carville coined a short and memorable quip that helped fuel Bill Clinton’s successful Presidential bid, “Its the economy, stupid”. This self-deprecating mantra kept the campaign focused on the issue most important to voters. In cyber security, while I would never call anyone stupid, we need a similar mantra to keep us focused on what the adversaries want—“Data and Control.”
Whether from the outside or inside, every attacker’s objective is the same: steal, modify or destroy data and/or implant a capability to take control of systems or networks at the time of the adversary’s choosing. More and more often, it’s a combination of both, but it always comes back to: “Data and Control.” Today I’m focused on the data as in, “It’s the data, stupid.” A self-deprecating reminder that data is what the adversaries want and what our clients ultimately care most about.
Data is the lifeblood of government and business. The ability to apply it for competitive and citizen advantage is predicated on the ability to protect it from alteration, theft, misuse or destruction while ensuring its usefulness to big data analytics, machine learning and artificial intelligence capabilities. Further, laws and regulations impose additional requirements to protect citizen information and are increasing the penalties for failure to do so—in the case of the EU’s GDPR laws, dramatically so.
Once we understand the critical importance of data and control, we can be effective in rethinking, redesigning and reengineering our cybersecurity strategy and solutions. We can no longer think solely in terms of building strong protections at the network perimeter. We now need data-centric security—tools and techniques that make it possible to harden the data from the inside out and minimizes the damage an adversary can do when they get in.
In a new piece, I outline 11 specific capabilities agencies need to implement to achieve the vision for data-centric security. Eleven is a long list, so I stratified them as “Good,” “Better” or “Best.” Here’s a preview from each:
GOOD: Data tagging and marking. To make decisions on access permission, automated access control decision services require strong data tagging and marking. If your data is not already tagged and marked for that purpose, it is critical to establish a framework for doing so.
BETTER: Across-the-board IDAM. Strong identity and access management (IDAM) services are essential—not just for people but also for data, applications, networks and devices. Separate data from applications, applications from security, security from rules, rules from data. This approach minimizes the impact of any change to data, security or applications and ensures the data is securely available to the business systems that need it.
BEST: Tokenization. With this capability, you can substitute alternative values for sensitive data in both structured and unstructured formats. At a minimum, tokenize all data covered by PII, HIPAA, PCI or GDPR rules and regulations, or any other data considered sensitive for business, national security or other reasons. Be consistent in how you tokenize to ensure that analytics and other advanced computations can calculate correctly.