I have gone back and forth for a long time. Should security be risk-centric or data-centric. Outside of security professionals, you sometimes meet people who believe security should be compliance-centric and others who believe security should be audit-centric (which is a type of compliance-centrism).
Certainly there used to be network-centric views of security but they have mostly eroded in the face of mobile devices and the rise of cloud applications.
So, what is or should be at the center of security? To some extent, the point might seem silly. Who cares what you put at the center of your security program so long as there are no breaches of confidentiality, integrity and or availability? Protect the enterprise and you can put a vase of peonies at the center of your security program for all the enterprise cares.
But it matters. At least when comparing the same level of effort. In other words, the best compliance-centric approach will out shine a data-centric approach that is pursued with significantly less effort and half-hearted organizational commitment. Which is a long way to saying “all things being equal” what an organization puts at the center of its security program makes a difference.
And in saying there even is a center, I am implying that we look at things with perhaps too strong a bias towards one thing or another. After all, the most risk-centric approach still emphasizes compliance and data protection. But it matters. The center is the focus you start with and the one you return to when re-evaluating a program.
Below is a look at the features and limitations of each approach ending with the conclusion that the only “centrism” that provides complete security for the enterprise is people-centric security.
Compliance and audit-centric: Has enough been written about how “check the box” security programs lead to security product shopping lists, policies that no one reads and surprised executives when a breach occurs (“but we were PCI compliant”)? Maybe, but on the other hand there’s a thin line between a strong compliance program and implementing a robust security framework. And if you’re in a regulated industry, being non-compliant cannot be an option. So as a security professional, the best thing to do when faced with executive insistence on such an approach is to make sure there is a general understanding that being compliant and being secure are not necessarily equivalent.
Location-centric: This form of security is largely obsolete but is making an interesting limited comeback with the advent of geo-fencing. In this view, the perimeter is absolutely the most important focus of controls with tight control over access/ingress being critical. Authentication is based, first and foremost, on “where you are” (what I have elsewhere called the fourth factor of authentication).
It sounds great but it has limits and can lead to a false sense of security. Developers, especially those who work on applications that are primarily internally facing, have been known to rely on this approach to avoid building tight security into their apps. (“It’s not accessible to the outside, so your firewall is protecting it.”) While this might have served as adequate in the days prior to the internet, the interconnectedness of things make this approach insufficient to shape a program around. Which suggests a broader view.
Network-centric: In this approach, there is acknowledgment that location/perimeter is not a sufficient center to build a program around, but the “network” is. The network comes to be defined as all the connections that might touch the enterprise and so third party management becomes important.
Mobile devices are part of the greater network so they also need to come under control. The limitation of this approach is that threats can come from outside the network in ways that the network-centric approach cannot control. Paper documents, for example, can lead to breaches, especially of discreet information. And while a print-out of 80 thousand names and credit card numbers would be unwieldy, misplacing it would be considered a breach of highly confidential information nonetheless.
In addition, a lot time and energy goes into the ongoing definition of what exactly the network consists of and that can be an exploitable vulnerability in and of itself (deception based threat detection technologies are the latest attempt at addressing this). Which suggests a different emphasis:
Data-centric: Even I like this one (and I’m hard to please). Whatever media they are on, whatever network they traverse, wherever they are, data are valuable. Protecting information seems comprehensive and, at first glance, does not take nearly the effort to define. Data are data, yes? Everyone knows what information is. With an emphasis on access control and data classification procedures, data-centric security can be effective and efficient. Are there still weaknesses to this approach? Yes. The two most common are:
1.Not knowing where you have data. A multi-million dollar HIPAA fine against a New York hospital that was protecting data just fine with the exception of that researcher’s PC under his desk with the thousands of patient names and access to the internet is a stark example. It’s hard to know where all the data are and it is usually impossible to fully control every single place it ends up (consider if most organizations could ban ALL email attachments for example).
2.Data classification is hard. When you consider that information someone makes publically available on LinkedIn may still qualify as “personal data” in the EU and require special handling, you can see the difficulty a data owner might have.
In addition, data classification and access control is ultimately situational and that is a slippery slope. For example, most people would agree that if someone shows up unconscious at an Emergency Room, those treating them should have access to every damn bit of information on that person they can find (sometimes referred to as “break the glass” data access in the jargon of medical records privacy). People are a bit less certain about whether an insurance salesperson should be allowed to learn from the DMV that you own a motorcycle so they can target you for motorcycle insurance.
Risk-centric: “Risk based.” That’s the phrase that pays in the sense that nothing helps justify investments in security better than showing the investment mitigates a significant risk. And, after all, given limited resources, you pretty much have to prioritize how you use them based on addressing what you deem to be the highest risks. The limitation with this approach is that while you can define the enterprise’s data and business processes sufficiently to have a very good handle on impact, the other factor in measuring risk, likelihood, is a lot harder to nail down.
In fact, we know (most recently from the recent WannCry exploit) that those that design exploits are always looking for the weak spot that assessors deem “least likely” to be exploited.
In other words, the data-centric approach to security will help you zero in on what you have to loose and the risk-centric approach is invaluable in helping you prioritize resources around that. However, each are still just narrow views. Undeniably essential views, but narrow ones nonetheless. That’s why my new allegiance is to a people-centric view of security.
People-centric: Hamlet said “O, that this too too solid flesh would melt.” But till it does and we’re all virtualized, people are going to hit keys, respond to emails, click on stuff and answer the phones in a free-form and random manner. It’s not an original thought that people are a major vulnerability in a security program. From the far less Shakespearian quotation “there’s no patch for stupid” to the tongue in cheek label of an “ID-10-T error” all the way to descriptions of users as the “weakest link,” us people have gotten a lot of bad press.
In spite of all that, people are also a huge strength. There are specific processes that succeed or fail depending on how well people perform. In addition, there is no realistic way to use optimize security controls as business enablers without buy-in from business stakeholders.
Consider security awareness training. All strong programs have a robust ongoing awareness effort. It is essential. These efforts are usually framed in the context of making sure the workforce understands its role in ensuring that the enterprise is secure. If you’ve evaluated training programs you notice some interesting things about them. First of all, they tend to present security as a responsibility that the user has to the organization (“Here’s what you can do to keep our data secure”). Second, they sometimes have needlessly technical explanations in them (this is often true, for example, when a training module tries to engage the student on the subject of encryption).
Imagine training that took a different approach. Instead of the compliance-centric “Here are your obligations under the regs” or the more colloquial risk-centric “We need your help in managing the risk faced by our organization,” what if there was a people-centric approach?
Imagine training starting out with this pitch: “We know you have a job to do and that you don’t want it interrupted by having to spend time on security, so we’ve put together this course to give you the tools you need to do your job safely. Just like you’d put on a hard hat to go into a construction area, we have controls that provide you with the way to stay safe in cyberspace.”
Firewalls and SPAM filters? Most of us, when confronted by a disgruntled user who had something legitimate blocked, already have an explanation that focuses on their safety. If you don’t have one and are still using the “We need to keep our data secure and if that means blocking some legitimate things that’s the price we have to pay” then I would suggest you change it.
Encryption? If you have to talk to a user about it, maybe you didn’t implement it seamlessly enough.
Selling safety as the goal of security is the easy part. The tricky part is getting the user engaged in being an even more active participant in the security program. To get the full value of partnering with your users in a people-centric security program, you need to make some adjustments:
1.Start thinking about security as a way to keep the workforce safe (we just talked about this).
2.Get over the idea that false positives are to be avoided: remember that the boy who cried wolf may have had some character flaws but the entire town made a decision to leave the boy, a detective control, in place and then to ignore him. Refine your alerting, but do not be hostile to a false alarm. And be sure to encourage users to come forward with things that they observe that concern them.
3.Be sure your mission is to serve the business and challenge any part of your program that does not directly do that. First and foremost, governance is about playing by the rules. Just make sure the rules support the objectives of the organization they are designed to govern. This does not mean that you need to make sure everything you do is popular (that’s not going to happen) or that compliance should be optional. But it does mean that if you can’t explain to a reasonable business stakeholder why a control is part of your program, then you need to re-think the control or refine your explanation.
4.Recognize that success is silent and failure screams. How many times a day do people in your organization NOT click on a malicious link and refuse to initiate an emergency wire transfer? How many times do they hang up the phone when someone on the other end says they are “John from the help desk”? How many are NOT pursuing that generous offer from that Manipulatistan finance minister to give them 10% of 100 million Euro in exchange for helping them get the money out of their capital, Scamsburgh? there’s no way to know for sure. But you have to realize it is happening all the time. For every one person who clicks on the link for naked pictures of Celebrity X and thereby downloads ransomware, there are at least ten who don’t. People ARE a strong preventive control and the more tools you put in their hands, the stronger they will be.
The people-centric view of security needs to evolve. People need to be seen as the strongest control and not the greatest weakness in a security program.