Layer 8

Security is fundamentally about people, and everything we know about people is relevant to security. -- B. Schneier

“Pragmatic” CSO veneer starts to peel off.

Mike Rothman, normally a sharp guy, just blew it so hard in this quote that I had to drop what I was doing (all 25 things, actually) and rant about it.

So what? - This puff piece in ESJ about PGP isn’t worth too much. But it gives me an excuse to once again talk about STRATEGIC use of encryption. This idea of encrypting everything is stupid. There is a cost to encryption and it’s not just the cost of buying PGP (or your favorite other encryption vendor), there is a lot of management and performance overhead. So you encrypt what needs to be encrypted. Sensitive and private information. Intellectual property. You get the drift. But when thinking about encryption, start with the data and work outwards. Not the other way around.

In the words of a former colleague, “You don’t even know how wrong you are.”  Here are the problems with that platitude:

1.  Not everyone in your organization knows for sure what constitutes “sensitive and private information.”

2.  Even if they know, it’s probably not tagged and organized to the point where they know where all of it is.

3.  You can’t keep it in one place.

Data is created all the time.  It’s copied.  It flows into every nook and cranny, with every email, every cut and paste, and every drag and drop.  I dare you to show me any non-DoD installation where they can afford to encrypt ONLY the sensitive data and be sure they’re not missing anything. 

The first question you ask when a laptop or tape or anything else goes missing is:  “What was on it?”  And nine times out of ten, even the one who used it the most can’t tell you for sure.  “Are you SURE there was no sensitive or private data on it?”  “Uh, pretty sure.”  Try saying that in front of your legal staff.

It is much, much easier to encrypt whatever your users touch so that they don’t have to ponder, with every file they create and every word they type, whether they should be putting it into a special volume somewhere.  Hell, just try to get them to do record retention—good luck.

Users don’t want to be burdened with meta-thoughts about their data.  They just want to get work done. 

Adt that’s the truth-thpthbpthbpthbpthb.

 

 

 

 

Posted by shrdlu on Thursday, February 01, 2007
(6) CommentsPermalink blogmarks Favicon del.icio.us Favicon Digg Favicon Fark Favicon Furl Favicon Google Bookmarks Favicon StumbleUpon Favicon Technorati Favicon TailRank Favicon
Page 1 of 1 pages