This is a draft of the book with the same title now available through Amazon:
Systems and “Systems”
It is a problem of the IT disciplines that the term “system” has a strange existence. At first sight, there is a consensus on what a system is, and perhaps the term is one of the most frequent in our literature and oral communication. Nevertheless, when IT experts are challenged to define a precise terminology, it is almost impossible to find a single definition; instead we have many interpretations, all of them unstable and vague, to the point that we can say that the word “system” hides a large disagreement.
Academic computer scientists are not critically affected by this problem, because they are justified in holding a uniform definition of “system” that is equivalent to “computer” or “network of computers.” After all, the computer is their object of choice. Also not affected are those researchers who prefer to study “socio-technical systems,” considering human interaction as an essential component[i]. Quite different is the case of IT practitioners and experts, who rarely rely on academic definitions, but then fail to have appropriate concepts for what they do. My point here is the current confusion should give way to a wider, more complex definition of system, aligned with the “socio-technical” approach.
A good definition –which is compatible but wider than the one used in academia—is that a system is a socio-technical complex. Machines and people interact and determine each other in the organisation. More precisely, machines are both agents and objects in organisational interactions. In an organisational setting, a system is never a machine or a group of machines, but the communication complex that arises from human interaction through computers and their networks. Hence, a mechanistic definition of a system will always fall short of reality and remain fruitless. This is because a machine in itself is fundamentally deterministic, but a network of machines acting as a complex environment for organisational communication is by definition unpredictable and non-deterministic. The social communication factors come to the forefront and the system is not a machine anymore.[ii]
In our professions, though, although we decorate our interventions with the jargon of business and organisation management, including “people” concerns, the object is always the machine, not the system, and we land into deep problems that cannot be resolved within such a limited frame of mind. We should not be surprised about this if we insist on a wrong definition. Avoiding this trap is critical to understanding what should be considered a secure system. So far, from the point of view of Protection, a secure system seems to be a secure machine, a “box” with inputs and outputs which can be “access controlled.” Information is either “inside” of the box, or “moves” from box to box, and has to be protected “at rest,” “in transit” or “in process.” Not only all our intellectual focus but also our expectations are determined by this setting.
Against this, some Security experts have called for a more rounded vision of IT Security (as we saw in the previous chapters of this book), but the confusion persists among the majority of specialists. For sure, it is not only Security experts who are confused: this is a general problem of the entire IT Industry, and in fact Security practitioners just do what is expected from them in the trade, which is to “protect information.”
The “system” in this frame of mind is the computer, perhaps the network of computers, and, more recently, the Internet or the Cloud as a technological environment. As the scope grows towards wider and more complex networks, though, the mechanistic focus of the Security practitioners becomes more and more limiting and eventually absurd. The techno-centric focus does make some sense while computers are isolated or more or less homogeneously connected behind the organisational or departmental boundaries: a single computer can still be called a “system” and it can be addressed and protected like a whole entity when it is isolated. Once it is connected to other computers and especially open to the Internet, the mechanistic notion starts foundering, because the number of interactions increases and diversifies. The same person can access information from different machines, and in fact it becomes clear that machines become remote agents for individuals. The mechanistic view is even weaker when we include external or Internet users, who –by definition– are outside of the organisational boundary. Here the same person can access many computers from many different places, and in many different roles, as well as through an unlimited number of machines. What looked like a “system,” i.e. something having the coherence and predictability of a pack of electronic circuits inside a metallic case, is now a tangle of human relationships where the machines are only the ground where these take place.
Security “for” and “in” the Organisation
In the context of the Internet and the Cloud, even when the mechanistic view still has a role, it is necessary to adopt a complementary stance, that of security “in” the organisation. The conventional techno-centric view is that of Security “for” the organisation, rooted in the idea the organisational network “is” the system. Making an abstraction of the complexities of the network, it is still possible to speak of Security measures that will protect informational assets from external illegitimate agents. This is not enough though, and as has been addressed many years ago, for example by Carnegie-Mellon’s Octave[iii]. Properly seen, the organisational network and the Internet create a need for Security “in” the organisation.
This is the first symptom of change, arising from the fact that internal and external access are hardly different in complex networks which have entry and exit points to the Internet. Security “for” the organisation becomes as important as Security “in” the organisation. The first thinks of threats and “attack vectors” that are coming from the exterior; the second starts from the understanding that dangers live both inside and outside of the organisational space. It should be clear that these two views are necessary and coexist for a long time in the computerised enterprise or organisation. The delivery of security “in” the organisation becomes a precondition for the realisation of security “for” the organisation.
Nevertheless, while the two views coexist and cooperate for most of the time, there is a permanent level of distance and conflict between these approaches. The view focused on Security “for” the organisation assumes that its function is to provide boundary defences, and to adopt technology-based solutions. As the individual computer stops to exist and the network boundary expands, the IT specialists think of more and more technologies to surround the computer with new walls and other “systems” that will close the gaps and keep the information safe “inside.” This is what keen observers meant –even in the early 1980s, when I started tinkering with computers—when they said that our trade was trying to solve a problem by “throwing a computer at it.” We still do it today.
In a correlated but contradictory position, the view of Security “in” the organisation (or the wider network) has as its primary concern the variety of identities (of users and roles), not of technologies. Security in this sense is the Subjective position, which we have associated in other chapters with the disciplines around Trust Definition and Allocation. This is the ideal position of the business leader, the owner, the strategist, but also that of the group, the organisation, and Society in general. From a different angle, Security “for” the organisation represents the Objective position, which is that of the implementer, the controller, the auditor, but also that of the engineer, the technologist, and IT organisations in general.
When considering these diverging views we see that Identity management is located in the Subjective half of the opposition, more specifically in the area marked by Trust Allocation. At the core of the Identity management domain we find principles of Identity Data Management and Identity Data Ownership, and it is clear even in the present circumstances that these disciplines cannot be reduced to technology. Contrary to appearances and technological trends, Identity management consists essentially of Trust allocation processes when considered at the level of the participants of the process. When considered at the level of the communication channels inside and outside of the organisation, this discipline is similar to the specialities of Information Architecture and Integration.
The correct understanding of this duality (between Data Ownership and Data Integration) will lead to the application of available industry and organisational standards to the Security and Identity practices. For example, Identity management must be supported by Service Oriented Architecture and founded on data ownership and stewardship. The service orientation reflects the (objective) technological component, while identity data ownership expresses the “subjective” side. This duality makes of Identity management the Security area most affected by organisational factors, and, in turn, the area which has the highest impact in every aspect of the organisation’s processes and structures.
A purely technological emphasis for Identity management misses the point altogether, because there is no Security without data governance (i.e. Direction), especially if there is no definition of what the organisation wants to keep as levels and spaces of trust. The organisation’s policies come first, and the definition of what is a trusted environment is a precondition to all other aspects of Identity management and other Security disciplines.
So, in conclusion, when we speak of System Security, we need to present the whole “case” for our professions, especially for Identity management. A system is secure if and only if the disciplines of Trust and Risk management are effectively applied and complement each other. In the current atmosphere, though, Identity management is blocked, ignored, marginalised in Security analysis and investment decisions, because of the bias at the root of the IT professions. Therefore the opportunities and benefits that it brings are missed.
The Paradigm Shift
Recently Ed Granstedt and Troy Nolan made a good argument for the change in the Security paradigm[iv], contradicting the current ideology of Information Security. The authors wrote: “A successful cyber-security strategy starts and ends with the mission — we don’t protect our information for its own sake, but for the sake of the mission. […] Traditional defense-in-depth approaches to securing autonomous systems are only partially effective. They cannot provide complete security to critical infrastructures. Perfect security is not possible due to the rate of change of cyber-threats and adversaries, the burden of IT security costs, the lack of integration of layered defenses and the limits of the technology used to protect information systems. We need to see network and information security as elements in protecting an overall mission.” This statement may not be original in essence, but the terms used are striking and precise. It is also very important to note the distinction between “security” and “assurance.”
Granstedt and Nolan, using military terminology, dispel the confusion: “Unlike perfect security, mission assurance is an achievable goal. But to reach this goal (protecting, under persistent threat, the important elements of infrastructure that support key mission activities), we must look at the mission holistically, considering its infrastructure, its desired behavior and the information that underpins it.” By focusing on the mission, which in my terminology is equal to the Direction perspective, technological actions become subordinate and relative to the goal. And it is good to see this in a very present context too: “Advanced persistent threats (APTs) differ from other infrastructure threats by their ability to infiltrate, hide and maintain access to an organization’s data across a long timeline. Once inside, APTs add backdoors, map the infrastructure, harvest account credentials, determine information of value and leak that information. This provides access to virtually all the information, and its explicit knowledge, that lies in an organization’s infrastructure, and the individuals behind APTs work hard to maintain that access.”
What the authors are saying, in their own terms, is nothing else than the need to focus around Security “in” and “for” the organisation. This has to be done avoiding at all cost the view that more technology can somehow guarantee the goals of an enterprise or a government! I cannot but quote a specific point which I share: “In this threat environment, organizations can be compromised by a single vulnerability. The character of the APT is such that traditional firewalls, intrusion detection devices and host-based scanners have difficulty eradicating them. The adversary tests against these defenses, knows their weaknesses and is patient, while seeking to find that single vulnerability. The truth is we must operate under the assumption that our networks are already “owned” and that no amount of castle wall construction (firewall) or moat building (virus scanning) is going to protect it.”
The authors conclude their article affirming that the perimeter of “defence” is “outdated” and recommend not remain focused on “inbound” actions (i.e. penetration by external agents). They do not explicitly ask for an organisational approach, and perhaps their final recommendations are still techno-centric, especially when they suggest that Security investments should be prioritised around essential infrastructures to support the organisational mission; but this is an excellent approach and Security experts should adopt it wholeheartedly.
Dereliction of Duty
Contrary to this, we see a troubling scenario in most organisations, of all sizes: organisational Security is severely misunderstood, and has become only a box-ticking exercise in compliance. Even worse, both in the industry and the consultancy sector, there is still a widespread belief that Security can somehow “exist” without Identity management. Many practitioners also like to say that it is “difficult” to sell Identity management to the business teams. Thanks to my experience in many organisations and sectors I am witness to a long catalogue of excuses and evasive responses when it comes to the Duty of Care, both in Security teams, organisational leadership and external advisors and technology suppliers. Here is a sample of the excuses the reader may have heard from teams and people refusing to adopt Identity data ownership and controls:
- “Centralised user management is not in our policies”
- “Cost avoidance is not relevant as it does not represent real expenses”
- “Our supplier would not transfer costs savings to us”
- “Identity data is not included in my area”
- “I need to reduce the risks of my project”
- “It is not part of the Business or the Information Architecture”
- “It is too expensive”
- “It is too complex”
- “It needs new business roles which we don’t have”
- “It needs too much effort”
- “It needs too much time to fulfil”
- “It would benefit the service providers but not us”
- “Our focus is now on integration, not on transformation”
- “Somebody else did it and failed”
- “Our funding model does not support cross-divisional projects”
- “There is no urgency to do it”
- “We are already doing manual access remediation”
- “We don’t have the necessary experience and skills”
Within a conventional approach, all these rationalisations could be “understandable” and “justified” perhaps as an expression of the limited scope of action of managers and team leaders, but in reality—especially if we consider all these expressions together—they reveal a disastrous state of mind and a lack of governance and direction inside normal and respectable organisations. This is what I call “dereliction of the duty of care,” even when I am conscious that in the current management scenarios, managers are not supposed to go beyond what they are asked to achieve. Any holistic view of the perennial problems of Identity and Security would be “outside of their remit.”
For sure in the past few years, many organisations have tried to disentangle themselves of this situation, but a lack of understanding of the roots of the problem doomed these efforts from the start. This is what I have covered in a previous chapter when considering the problems of “project failure.” In my view, the causes are deep. The dereliction of the duty of care in respect to Security and Identity management is not the result of some entrenched management practice but the precondition of IT practice. In fact, it is only by managing Identity data in an ad-hoc, expeditious way that we can build the current type of IT services and infrastructures. IT, especially in complex organisations, needs to ignore, postpone and fragment Identity management with the result the IT landscape itself is indelibly marked by this implicit rejection. So when organisations try to remedy their Identity practices by joining the IT infrastructures, we have a sign that they have got the wrong end of the cause and effect chain. I documented this maze of interactions showing how these factors interact[v]. The diagram shows the direction and impact of various organisational problems in Security and Identity management.
Organisations should perform Security and Identity management for reasons of business excellence. They cannot and should not be done for other reasons, or failure is guaranteed. So, when speaking of “selling” Identity solutions, I am of the opinion that it is necessary to believe in the intangible values of organisational and business excellence before we address any technological matters. The disciplines of Trust Definition and Allocation are closely associated with the aspirations of the business leader and his or her “take” on the market. If we do not believe in this and instead present a spurious “risk” and “cost-benefit” discourse devoid of any strategic purpose then we should not be surprised by failure.
Given the complete focus of current Security disciplines on “data protection” and information as an “object under threat,” it is only fair to evaluate how we are doing in the “cyber-war.” We saw in earlier chapters that project and programme delivery were a dark area, devoid of encouraging results. Perhaps we do have some positive news in the more specific subject of “data protection”? Sadly that is not the case. Before continuing, to eliminate any ambiguity, I want to reassert that Security and Identity management, in their objective side, include controls over data “at rest,” “in transit” and “in process,” but the emphasis is not on data as an object or a mechanical flow, but on data as interaction and multilateral process. I like to use the term “quantitative identity management” in the sense that informational exchanges can be measured by taking read and write operations as the tokens of real organisational processes. In this way, data becomes a reflection of organisational functions[vi].
Now, either in this perspective –or in the conventional one– “data” can still be described as something material (“tangible”) that is moved around in the organisation. This image is easy to understand when speaking about “data loss” and “data breaches” as a manifestation of the failures of conventional information Security solutions. The practitioner is standing on a space composed by one or more “enterprise” data infrastructures (databases, file servers, portals, applications), which contain “informational assets” and are under constant and diverse “attacks.” The usual dangers come from a series of insecure practices or technical defects that put data “at risk.” The most important of these problems can be catalogued as follows:
- Denial of service. Under stress or attack, computer systems expose their limits and coding errors. Expert attackers or any determined person can destroy or access information when systems misbehave and fail. A very frequent form of attack is the so-called Denial of Service. More or less large sets of compromised computers can be turned on to attack organisational infrastructure, leading to service loss and in some cases to data corruption.
- Excessive access rights. It is a usual scenario in all types of organisations, where users and their tools (the programs they use to work) have access rights that do not correspond to their business functions, being “higher” or “wider” than they should be. This problem, also called “excessive privileges,” allows users and information processes to read or write from and to confidential data repositories. As users come and go from organisations, or move from one role to another, they accumulate access rights to systems and services beyond their “need to know.”
- Privilege elevation. Privilege elevation is a normal procedure in systems management, by which an operator, using available tools, changes the level of access to be able to carry out some tasks that require more authorisation. The problem is that unauthorised persons (inside or outside the organisation) can also raise their access scope if they know the process. In some cases software limits and errors help these actions; in other cases the systems themselves have facilities to do so.
- Abuse of access rights. Even when users have properly assigned access rights, these can be utilised for illicit or destructive purposes. It has been clear for years that a large proportion of data breaches and loss occur within the organisation itself through this abuse. This danger is higher and more complex the higher the person is in the organisation, and the more access rights he or she has overall.
Confronted with these dangers and attack types, how do organisations fare? It is not possible to find complete documentation about this, because organisations do not share the actual state of data controls. A growing debate exists about the need to legislate data breach disclosure, but I won’t discuss that issue here. There are nevertheless limited scope studies which point us in the right direction, for example the work by Dana Rosenfeld, Alysa Zeltzer and Christopher Loeffler[vii] cataloguing the gaps in organisational information Security. While their study is focused on Personal Identifiable Information (PII) their findings can be generalised to all types of data. In my own practice I have found that also business data is affected by problems that we can list as follows:
Common Gaps in Information Security:
- Not developing policies in the first place or failing to implement policies.
- Not designating specific employees or groups of employees to maintain and implement the program.
- Permitting the haphazard collection and sharing of information inconsistent with policy requirements.
- Not updating or modifying policies as the business’s information practices or laws change.
Common Gaps in Information Storage and Disposal:
- Not knowing what information is stored by the company and its location.
- Security levels that are inconsistent with type of data stored.
- This may include the failure to encrypt and/or truncate sensitive information as required by applicable law or as recommended under industry guidelines
- Not limiting access to information to those having a “need to know” that information to perform their duties.
- Retention of information longer than necessary to carry out the original business purpose.
- Improper disposal of information that is no longer needed.
I am sure that all Security experts and practitioners have seen the typical scenario where the organisation in fact does not know and does not have means to know what information is stored in their file servers and who has access to that information. On the other hand, we also have seen many times heroic efforts by business managers and Security-concerned team leaders to establish some form of control over information repositories, only to find in the end that “nobody” owns the data and hence there is also nobody to sign off any security policy over it. Judging from experience, the “gaps” listed by Rosenfeldt and Zeltzer are effectively the norm, the “state of the matter” in organisational life.
So, how can there be “system” Security–either in the old or the new definition of the term– if we have such gaps in governance and control? To expand this further, we could also ask: how can there be Identity management if even business data management (usually including personal identifiable information or PII) is in disarray? To be clear, organisations, especially in the financial sector do have the functions of “data ownership” and “data governance,” but in too many cases this is limited to large customer data stores and does not include staff, partner, supplier, contractor or any other external collaborators.
In spite of multi-year Identity programmes, many organisations do not have the same criteria for customer and staff or collaborator identity data. To progress from where we are, my suggestion is that Security and Identity management should learn from existing business practices centred on Data Integration and Warehousing, and apply their more advanced rules and practices. Data Management experts may smile at reading this, surely knowing that their own area leaves many things to be desired, but I can confidently say that they are years ahead of the Security professions. A System cannot be secure without data governance, specifically without Identity data ownership and management. This is a difficult task, but appropriate models exist and there is no need to invent anything new.
Data Governance is always a continuing programme–not a “project”–which must be planned and led at the highest levels of an enterprise. It will not happen without personal commitment for excellence from the owners of the organisation and the representatives of the owners. This is not an optional process and it has to be asserted within the business model itself. Without this it will always be difficult or impossible to allocate resources and enforce organisational policies. It should also be clear that Data Governance in general and Identity governance in particular are not functions of the IT department. As heroic as it may seem for some IT leads to declare that Identity is their responsibility, obviously governance has to involve accountability and sign-off capacities which do not exist within the IT departments.
All the terms and practices that are part of an organisational Information Architecture are also part of a Security and Identity data management strategy:
- Data Access
- Data Architecture
- Data Archiving
- Data Cleansing
- Data Compliance
- Data Governance
- Data Migration
- Data Modelling
- Data Monitoring
- Data Ownership
- Data Policies
- Data Privacy
- Data Profiling
- Data Quality
- Data Retention
- Data Retirement
- Data Security
- Data Standards
- Data Stewardship
- Data Storage
- Data Structure
- Data Taxonomy
- Data Traceability
- Master Data Management
- Metadata Management
- Reference Data Management
Also in this respect, as I mentioned above, nothing needs to be invented, and we, the Security practitioners, should instead turn to the more or less standard manuals of Data Integration and Information Architecture which have been available for decades now[viii]. Essentially, the aim of data integration and governance is to provide accurate, reliable data (a “single version of the truth”) across the organisation and outside of it, to partners and external interested parties, including consumers. To do this, much more than technology is necessary. First, the organisation needs a common language and common standards for data classification and management, and –more critically—special roles and responsibilities have to be defined and assigned: the data owners, custodian and stewards.
In most cases–especially for Identity data management—a global team will be necessary, to work out the standards and execute the governance processes across many different countries and technologies. Against these needs stand many obstacles of organisational and “political” nature, for example differences in “how business is done” in each division or who is in charge of data depending on the country or the sector. Therefore, this is even less a technological task than can be imagined at first sight and cannot be accomplished by the IT departments. In fact, it is essential to understand that in terms of Systems security and organisational transformation the IT department has a decreasing role as we progress to wider and more complex networks of cooperation. They can be “custodians” and implementers of the processes needed, but they do not lead or own these.
The current Situation
While the change is still evolving and organisations open their eyes to new possibilities, data insecurity and loss are present. Some statistics will show how ineffective Security controls are in today’s organisations. A 2006 survey among 100 IT Security professionals, conducted by Computer Economics,[ix] shows a list of Security threats, out of which I highlight the following:
- Insider threats are the highest-ranking IT security concern, specifically insider misuse and unauthorized access. The greatest “risk” to the organisation resides with those inside the security perimeter.
- Unauthorized access by “outsiders” figures second or third among the Security concerns, but the report highlights many organisations do not know who may have gained unauthorised access.
- It is a well-known fact that “hacking” incidents are underreported in the statistics.
A PricewaterhouseCoopers survey from 2012[x] complements these insights, showing that while many companies appear to understand the new dangers coming from an expanded user network, little is done to “secure” information in the changed circumstances. For example, the survey notes that “many companies are not doing enough, and some are not doing anything at all, to secure their mobile environment.” The report shows concern that too many organisations are not taking threats seriously. Simultaneously, 82% of large organisations are mentioned as having reported security breaches caused by staff, including 47% who lost or leaked confidential information.
Given the lack of policies and the gaps listed above, it is not strange that data breaches are a permanent feature in the business and IT landscape. On January 2011, for example, the Identity Theft Resource Center (ITRC), based in the United States, published statistics[xi] of the reported US data loss incidents in 2010 listing 662 reported events, nearly a 33% increase over 2009. Given the way the data is reported and collected, observers think the number of data breaches is higher. The ITRC itself highlighted in the report an obvious lack of transparency from organisations: “Other than breaches reported by the media and a few progressive state websites, there is little or no information available on many data breach events.” Data losses consist mostly of personal information, like social security numbers (62%), and Credit Card details (26%).
The ITRC report points out that 51% of publicly reported data loss incidents also disclose the number of records compromised or destroyed, coming in at a total of 16.1 million records. That means that about half of all the reported data breaches do not reveal the number of compromised or lost records. It is interesting to note the reported incidents were 498 in 2009, 657 in 2008, and 446 in 2007.
Among the incoming information about data losses and Security failures, though, some functionaries do not see a cause for alarm, even if the numbers are staggering. For example in September 2012 the UK Deputy Information Commissioner David Smith[xii] told Computing magazine that “while he does not dispute the accuracy of figures to suggest a 1,000 per cent rise in UK public and private sector data breaches in the past five years, he is unsure they “reflect the position” of serious data leaks.” He may be right indeed, because it is not possible to know what was lost or if the reported data losses are all that took place. From my point of view this does reflect two things though: the increase of reporting due to regulatory pressure (especially in Europe) and also a continuous expansion of the problem. In any case, even if this does not reflect the gravity of the situation in every sense, what the reader should retain is that, whatever measures Security professionals have been proposing, either these are not working or else they are not being adopted.
At the current rate, many successive years could be named “The Year of the Hack.” In fact, it can be asserted that every organisation, including military and political entities, are suffering because of this. High-tech companies are not the exception. In January 2012, another report by the Identity Theft Resource Center identified hacking, followed by data lost in transit and insider attacks, as the leading data breach causes in 2012.[xiii] This report follows the data collected for 2011 for disclosed data breaches (a total of 419 events). That year, “[…] targeted intrusion into a data network,” including card-skimming attacks–were at an all-time high, and responsible for 26% of all known incidents. The second cause of breaches was the loss of data on the move (18%) consisting of data stored in mobile devices or printed for transportation. The third cause was classified as insider theft (13%). Overall, the ITRC indicates that malicious attacks–including insider and hack attacks– represented 40% of the disclosed data breaches in the US, while 20% of breaches were the result of “accidents.” In 2011, 22.9 million records were compromised, of which 81% included social security numbers.
The ITRC makes a point when stating that in 2011, the US government and armed services saw the greatest volume of compromised records (comprising 44% of all exposed records), followed by non-financial businesses (33%), medical and healthcare groups (16%), educational institutions (4%), and banking, credit and financial firms (3%). The report says: “Non-financial businesses, as well as medical and healthcare groups, saw the largest incidence of insider theft, while non-financial businesses were hacked far more often than other industries. Notably, 17% of all breaches involved hack attacks against businesses, compared with hack attacks against banking, credit and finance (3%), education (2%), medical and healthcare (2%), and government and military (1%).”
The report is also frank in stating that in the year 2011 only 52% of publicly disclosed breaches detailed the number of sensitive records that had been exposed. This alone means that it is impossible to estimate the damage caused to companies and individuals, or to certify the distribution of attacks and losses. It nevertheless gives us a picture of the problem. What are we as Security experts and professionals doing about it? Is it comforting enough to continue with the rationale that “the business” or “the managers” don’t get Security or Technology?
Here are also some statistics about the cost of data losses, to match the information given above. One such case is exemplary.[xiv] The reference quotes the Global Payments SEC 10-K/A filing of the same date, containing estimates of the 2011 data breach incident. The text says: “For the year ended May 31, 2012, we have recorded $84.4 million of expense associated with this incident. Of this amount, $19.0 million represents the costs we have incurred through May 31, 2012 for legal fees, fees of consultants and other professional advisors engaged to conduct the investigation and various other costs associated with the investigation and remediation. An added $67.4 million represents an accrual of our estimate of fraud losses, fines and other charges that will be imposed upon us by the card networks. We have also recorded $2.0 million of insurance recoveries based on claims submitted to date as discussed below.” And it adds: “We expect to incur additional costs associated with investigation, remediation and demonstrating PCI DSS compliance and for the credit monitoring and identity protection insurance we are providing to potentially-affected individuals. We will expense such costs as they are incurred in accordance with our accounting policies for such costs. We currently anticipate that such additional costs may be $55 to $65 million in fiscal 2013. We anticipate that we may receive additional insurance recoveries of up to $28 million.” The cost per lost record has been variously estimated between US$100 and $190.
All types of organisations are suffering data losses, including those that set the standards. In September 2012, the public learned the Institute for Electrical and Electronic Engineers (IEEE) had lost 100,000 user names and passwords by exposing them in an open server on the network[xv]. This was painful for an organisation dedicated to technology standards development, continuously working with major global and national organisations. The exposed files had been stored in an unencrypted form and in a plainly accessible folder. For sure the Institute closed the gap soon and asked the users to change passwords immediately, but it was also the occasion to remind everybody that data security –even using the conventional approach—cannot be protected if it is not classified, and it won’t be classified if it is not governed like an asset. When people think of “proactive” measures and leave for a moment the techno-centric approach, they should have in mind higher orders of leadership and purpose.
What Security is not
The lack of Direction and Trust management leads to several wrong conceptions that are obstacles for an integrated Security strategy:
- · The belief that Identity management can be reduced to the so-called cyber-security trend. While it is clear that cyber-security (as it commonly understood) is relevant for some organisations, its essence is not Identity management. These areas share technologies but their goals are different: while the first addresses unknown attackers and articulates the notions of warfare, attack & response, counter-attack, etc., the second is founded on a generalised intention to allocate trust, facilitate access, decentralise controls and enable the end users to manage their authentication credentials.
- · The belief that Identity management is centred on regulatory compliance or the “protection of informational assets.” This comes straight from the past of our Security disciplines: First there was “asset protection,” directly linked with over-centralised business processes and lack of autonomy of the users; then there was Governmental pressure to assert data regulations. The result was a combination of Protection of assets and Data protection measures, which is commonly taken as the essence of Identity management. This confuses the historical evolution of the disciplines with their ultimate goals.
- · The predominance of provisioning technologies (account management) as the essence of Identity management. This trend is strongly maintained by large technology vendors and is the product of years of haphazard and chaotic growth of IT infrastructures. At some point organisations find themselves sunk in a confusing and anti-economical technology maze and try to overcome it by buying more technologies: “provisioning,” “user management,” “user recertification,” “risk-based reporting,” etc. When these solutions are rooted in the usual silo-orientated approach (which is the continuation of the style that produced the chaos in the first place) little can be achieved.
Combinations of these three wrong conceptions can be seen everywhere, and their effects are then translated into the catalogue of excuses that we saw before. The worst cases are those where a techno-centric solution is supported by compliance and protection drivers and tinted by “cyber-warfare” ideologies. It is difficult to see in this confusion where we are going. A closer analysis shows that behind all these misconceptions the key issue is that Identity data (especially staff, partner and collaborator Identity) is not managed as an asset. In the organisational plane, the lack of direction is revealed by the fact that there are no data owners and no governance process exists.
To understand what is happening here it is essential to turn to the history of the Computer revolution. This revolution, itself arising from a changed world society, essentially created the individual technology user, the connected, remote worker. Nevertheless, the techno-centric perspective leads people to “forget” these and propose actions and ideas that negate this origin. Where the PC puts power in the hands of the individual, some technologists insist on recovering and centralising computing power, ignoring the social history of computing. Where the Cloud is based on an expanding variety of users, some technology suppliers want to reduce this to a single “cloud user” type. The problem is that in doing so, the techno-centric mind disables itself for anything relevant in Security matters, multiplies the threats and gives bad and costly advice to the organisations it claims to serve.
Outside of the Perimeter
In a recent article in SC Magazine, Dan Raywood points to the critical change that is occurring in the Information Security market. He quotes Paul Simmonds, former CISO of AstraZeneca and board member of the Jericho Forum, as saying: “The issue is on the move outside the perimeter, which is driven 100 per cent by business and the IT administrator is playing catch up, as is security.”[xvi]
Simmonds suggests the main challenge with Identity Management is the difficulty if not impossibility of containing the identities within the perimeter as business drivers lead to a fragmentation of access routes and business channels. To counter this, Simmonds recommends the separation of access management and identity management via the use of “claims based security.” Claims-based mechanisms[xvii] are relevant but, to begin with, it is important to focus on the two things that are being highlighted here and will be even more important in the immediate future: first, the perimeter is disappearing, or has disappeared altogether in large global organisations; and second, Identities are fragmented and access routes (even for company staff) are multiplying and changing in nature.
In essence, Identity fragmentation and diversification compounds the well-researched problem known as “deperimetrisation” of IT environments[xviii]. To address this it is essential to re-balance and re-focus Security moving from the emphasis on Protection and Enforcement to Trust Definition and Trust Allocation. In terms of Risk it is essential to adopt perspectives geared towards Risk-Taking and Risk Sharing as I have explained in other chapters in this book.
Contrary to the necessary readjustment, too many documents and statements coming from the Security experts repeat the language of risk avoidance and the criteria of “risk appetite,” as if we were permanently talking only to IT departments. As Simmonds says, IT departments are only “catching up.” In this context, it is a losing game to continue patching and upgrading “the system” as the future does not look good for such a stance. A risk avoidance position does not carry the voice of the business leader or the risk-taker. It can sustain only a minimalistic investment curve, meaning that it will support an expedient solution to “get away” with the necessary controls, to “manage” the consequences of internal and external audit processes, not aiming at expanding the business, growing the market or increasing the variety of users.
When Security practitioners accept these limits, they follow the fears and misunderstandings that persist in the IT professions. Why use the notions of “counter-attack” and “rapid response” as if all of Security depended on warfare scenarios, external penetration and “inbound” threats? Why is Security not thought of as a business enablement force? It is urgent to reiterate that on the ground of conventional security, experts and practitioners become followers and not leaders.
[i] E.L.Trist, “The evolution of socio-technical systems: A conceptual framework and an action research program”, 1981
[ii] Günter Ropohl, “Allgemeine Technologie : eine Systemtheorie der Technik“, Universität Karlsruhe, 2009
[iii] The Octave web site: http://www.cert.org/octave/
[iv] E. Granstedt, T. Nolan, “Paradigm shift necessary to address advanced persistent threats“, 2010, http://www.gsnmagazine.com/article/20675/paradigm_shift_necessary_address_advanced_persiste
[v]Carlos Trigoso, “Negative Feedback Chain in Solution Definition and Execution”, 2008 – http://carlos-trigoso.com/public/praxiology/
[vi] See chapter 7: Quantitative Identity Management.
[vii] D. B. Rosenfeld, A.Zeltzer and C. M. Loeffler, “Common Gaps in Information Security Compliance Checklist” , Kelley Drye & Warren LLP – Practical Law Company 2011 http://www.kelleydrye.com/publications/articles/1551/_res/id=Files/index=0/Common%20Gaps%20in%20Information%20Security%20Compliance%20Checklist_Feb2012.pdf
[viii] An excellent reference is the “Information Service Patterns” series by Dr. Guenter Sauter and his collaborators at IBM, http://www.ibm.com/developerworks/webservices/library/ws-soa-infoserv1/
[ix] Computer Economics Magazine, “Trends in IT Security Threats” 2007 http://www.computereconomics.com/article.cfm?id=1214
[x]Information Security Breaches Survey http://www.infosecurity-magazine.com/view/25232/pwc-2012-information-security-breaches-survey-preliminary-findings-report-continued-mobile-insecurity-/
[xi] See: http://www.idtheftcenter.org/artman2/publish/m_press/index.shtml
[xii] Peter Gothard, “Deputy ICO says big rise in reported breaches is no cause for alarm”, September 2012 – http://www.computing.co.uk/ctg/news/2207131/deputy-ico-says-big-rise-in-reported-breaches-is-no-cause-for-alarm
[xiii] As reported by Mathew J. Schwartz, InformationWeek, January 12, 2012
[xv] InfoSecurity Magazine, “IEEE data breach offers up 100K member logins” – http://www.infosecurity-magazine.com/view/28465/ieee-data-breach-offers-up-100k-member-logins/ and http://www.databreaches.net/?p=25400
[xvi] Dan Raywood, “Jericho Forum: Identity and access management need to be separated in the business”, 2011- http://www.scmagazineuk.com/jericho-forum-identity-and-access-management-need-to-be-separated-in-the-business/article/199154/
[xvii] See: Keith Brown, “Exploring Claims-Based Identity”, 2007 – http://msdn.microsoft.com/en-us/magazine/cc163366.aspx