Integrity Check: 5 Steps to Data-Centric Cyber Security

Change is the only constant. This is particularly true in the cat-and-mouse world of information security. With a constant flow of zero-day attacks and malevolent—albeit not always innovative—thinking on how to best exploit hardened systems, data defenders need to be ever vigilant. Certainly, public- and private-sector CIOs are constantly bombarded with new silver-bullet applications, appliances and techniques aimed at providing enhanced protective controls. But even the most sophisticated tool is of limited value if we don’t understand a key tenet: Sensitive data can still be vulnerable even when placed within a well-protected infrastructure.

It’s the age-old problem of having strong, solid exterior walls and limited additional inside defenses. The analog in the information technology realm is that of very strong perimeter defenses (firewalls, IPS, hardened border routers) at interconnection points, but only limited supplemental controls at the “trusted” core of the enterprise. Although it’s an archaic assumption that firewalls alone constitute an adequate defense, in our practice, we still see the occasional IT group that subscribes to this approach’s effectiveness. More progressive organizations, often with significant investments in information assurance technologies, may be better protected, but even they can be lulled into a false sense of security when their systems are surrounded by sophisticated network appliances, intimidating physical security controls and exhaustively documented security policies.

In our recent InformationWeek Analytics Government IT Priorities survey of federal technology decision-makers, cyber security was the No. 1 IT initiative within respondents’ organizations in terms of importance and current leadership focus (ahead of data records management and DR planning). For most of these shops, cyber security means dealing with the Federal Certification and Accreditation (C&A) process required by FISMA. This mandated approach is highly proscriptive: There are 17 separate control families with which to comply, each bringing its own specific directives. Although some of these can be deferred by using common controls for the organization (for example, information security policy or incident handling) others cannot be—and rightly so.

The upside to FISMA and the ensuing NIST documentation is that agencies have a consistent and broadly applicable standard for how information security should be applied to systems that are deemed to warrant a given classification level. The downside is that the true goal of adequately securing sensitive information and preserving core mission processing sometimes gets lost in a maze of requirements. By proposing a highly data-centric approach, we’ll help agency CIOs and CISOs refocus their security programs back to the essential precept of protecting information.