Picking up from my last post, I was inspired to look further into the implications of the TJX incident by Evan Schuman's piece in eWeek. Since the TJX incident, quite a few security practitioners are soul searching why TJX got breached, if it is true (as is believed by some) that TJX was PCI compliant and had actually invested in encryption. Some are asking if PCI compliance can stop data theft. Check out Joe Pereira’s Stop & Shop comment to my earlier post. Recently, Eric Ogren suggests that if data leakage protection could be added to the ten PCI commandments it could stop data theft. I think he is headed in the right direction.

I am going to take a slightly radical stance and state that in fact traditional data security cannot stop data theft. Another way to say this is to use a metaphor: a museum is better than a castle. OK I am probably not making much sense. To explain, let us start at the beginning.

1. Data Security today: Today a typical enterprise has data strewn all over the place. The idea of data and info security program is to create a series of obstacles (layered defense) to slow down the attacker from getting to the data. Firewalls, VPN, IPS, IAM, encryption are all layers that do a good job at securing the data from the attacker. Inspite of this, data breaches seem to happen routinely and when they are noticed the enterprise goes into a panic mode. No one seems to be in control. Large scale investigations swing into place, media goes into frenzy, company mopes around and the consumer/customer loses trust once more.  Here’s an analogy on why this happens.

2. Castle vs. Museum: An enterprise is like a castle. A castle is constructed exactly based on the layered defense model. The moat, the thick walls, the height of the castle, and the array of soldiers are all intended to defend and stop the attackers. The ultimate target of the attack is of course the King. If the King is captured, it is all over and the castle gives up immediately. Interestingly, this is how the enterprise behaves today when a large data breach happens. Now contrast this with another well known institution – the museum. Think of a museum that has high value assets (say paintings). A museum does invest in the same security mechanisms as a castle – when you walk in you are frisked, guards abound etc. Yet there is a key difference between the security model of a castle and that of a museum. A museum is built on the assumption that the assets will be compromised. It is not a matter of if, only that of when and how frequently.  As soon as an asset is compromised, the museum offers immediate actionable “theft protection” to mitigate the risk of the compromise. For example, if a painting is accessed, a camera could be capturing this. If the painting is retrieved from the case, a silent alarm could go off. If the painting is really of a high value (think Mona Lisa), other high-value areas may get cordoned off.

It is interesting how the museum and castle differ in their approaches to managing asset risk. The museum secures itself but also presupposes asset compromise and invests in risk mitigation after a compromise. Consequently, the museum security is at its finest operational hour after the compromise. In contrast, a castle never plans for an asset compromise (whats the point?) and has no risk management plans post compromise. It is usually in operational shambles after the compromise is clear. Which institution would you trust with your jewels? Clearly the museum. Why? Because it combines preventative security controls with real-time protection-oriented risk mitigation.

3. Lessons for data breaches: Enterprises that have purely data security architectures to slow or stop attacks are like the castles described before. They rarely quantify their assets (in this case the “data”). They are subjected to routine data breaches and probably won’t notice them until many months (or years later). Unlike this model, an enterprise that has the museum model of security plus protection will fare far better. What does data protection involve? Extending the museum analogy, it requires four techniques –
1. Discovery – Keeping track of high value data and helping classify it
2. Monitoring – Capturing the access to data in action.
3. Theft Alerting – Having analytics that can detect theft accurately in real-time and alert. (Unlike a museum, where the painting moves infrequently, data moves constantly in enterprises, so pure edge-based leakage prevention will not work. Theft has to be differentiated from legitimate access - analytics are critical*.)
4. Automated Risk Mitigation – Alerting should be hooked to response centers so immediate action can be taken. If other risks are noticed (example unencrypted data, or data moving to laptops, or data accessed by rogue accounts), appropriate actions need to be taken (ex., investigate, encrypt the data, id and scan the laptops, de-provision accounts if warranted).

Taken together, an enterprise that has strong outbound, real-time data protection along with a strong inbound preventative data security will likely stay standing. Much like the Louvre**.

* I will take up on the difference between edge-based data leakage prevention and “protection-oriented” core data auditing in a subsequent post.

** Museums didn’t always get it right. When the Mona Lisa was stolen from the Louvre in 1911, it created a national stir in France that changed the way security was done. Security comes at a cost. For lower valued paintings, like the $37,000 19th-century landscape by Turpin de Crisse, security challenges continue.