Society needs security, data needs integrity
This the second excerpt from a new paper that I co-wrote with Jason Hoffman, our VP and Head of Cloud Product Line at Ericsson, titled: The Game Has Changed: Time to Press the GO Button. The paper is the third in a series (also check out part one and part two) on the massive business changes we are currently experiencing in the telecoms, IT, and cloud industries:
In a world driven by “as fast as possible” decisions, it is important to be able to trust data, have immutable proof of that data’s history, and have the forensic and auditing capability to understand what happened to the data if something goes wrong.
Today, data security is over-reliant on encryption and access, both of which have proven to be false safe harbors. Both depend on the integrity of the underlying systems, and the need to trust the people operating them. Both of these dependencies are not reliable. Mike Rogers, chair of the US House Intelligence Committee, says that 95 percent of private sector networks are vulnerable to cyber attack, that most have already been hit, and that people working inside the organizations cause between 30 and 50 percent of the security breaches. Trust is proving to be not enough of a safeguard.
The CEOs who believe that they have not experienced compromise have simply not yet discovered the cancer.
In order to foster growth, industries and countries need a predictable and deterministic environment, where risk can be managed alongside investment and return. The World Economic Forum believes that the lack of effective cyber security could cost as much as USD 3 trillion in non-realized potential growth during this decade.
Industries need to ensure that their data has high integrity — and can be validated as such. For this to be true, the industrial cloud must have data life cycle management as a fundamental capability, designed and built into its infrastructure and operation.
Data life cycle management consists of attribution at source, real time situational awareness with native forensics and auditing capability that can be performed by an independent third party.
The result — data integrity secured with truth — is the only way to maintain trust in a system.
Mechanisms now exist where proof is based on well-known public mathematics that can be independently verified. An independent third party can irrefutably validate governance and compliance, without the need to disclose the source data. There is no need to ever trust any messenger again, especially not a messenger who may have another vested interest.
This becomes increasingly important as the world moves towards using cloud infrastructure, which by nature is highly available and shared. The economics of the cloud are driving companies to use such approaches, but those that do so without data integrity instrumentation will find themselves in a world more similar to the Wild West than Wall Street. At a fundamental governance level, such instrumentation should be required as a basic component of business operation. This will enable society to reap the benefits of sharing, while at the same time creating a more secure environment than exists today.
The World Economic Forum describes three possible future scenarios:
- The world continues muddling into a future in which attackers are increasingly effective against under-tooled and less-agile target organizations.
- There is a backlash against digitization, causing fragmentation and stunted growth.
- There is accelerated digitization, thanks to robust cyber-resilience.
The definition of what is required to enable option 3 (accelerated digitization) can be summarized in four parallel tracks:
- Cost savings through adoption of shared infrastructure and associated economics. This increases complexity, especially when compliance and forensics are a prerequisite.
- Subsequent security challenges. Placing data in shared infrastructure and making it easier to access is good economically, but also enables others who should not have access to do the same.
- Management of plaintiff litigation, e.g. lawsuits from individuals who have been compromised due to breach, or similar lawsuits from other companies (subrogation).
- Total cyber governance, where company officers have a basic fiduciary duty to oversee the risk management of their company, which includes securing any intellectual property and trade secrets.
While CSA and world standards bodies have pioneered a number of policies and best practice tenets to manage cloud computing and data risks and security threats, these best practice frameworks for business, organizations, and governments are merely a risk management framework which does not address very fundamental integrity problems or technology solutions that should be associated with cloud models.
We should begin to change the dialog and emphasize:
- CIOs should make the assumption that any outsourced infrastructure will at some point be compromised (if not already).
- You can’t outsource trust with the complexities offered today or with the people operating those resources on your behalf.
- Also assume your own internal infrastructure is already compromised or soon will be in the (near) future.
- The more important and valuable your intangible assets are (your intellectual property, customer and supplier base, etc.), the more likely you are to be compromised and to become — no pun intended — a TARGET.
- The siren song has become, ‘We implement best practices!!’ to assuage concerns.
- Our response has always been, ‘So prove it in a way I can independently verify the integrity of your systems any time I want’ – go beyond compliance. Prove it. Prove in an independently verifiable way that the integrity of my data, the information rules that govern it, and that my service contract is being enforced – and let me do it whenever I want – in real time.
With these assumptions, guaranteeing the integrity of these machines, the data being generated both by them and the user, and the rules used to enforce the information policies and contracts is paramount.
With integrity guarantees, true cyber security for an organization is possible.