Saturday, December 02, 2006

This is an additional post regarding IP and least privilege access

Intellectual Property, IP, loss, what is the real threat?

There are four major risk areas, the loss of IP through attrition (former employees), and theft from foreign and domestic competitors, contractors/vendors. Attrition is outside of the realm of most of IT security controls, but some are clearly beneficial to this type of loss. These will be discussed in more detail below. Then there is outright theft, whether from internal theft or external theft. These two situations will also be discussed below. It is thought that 70% or more of a company’s market value is in its intellectual property. Any significant loss to IP is a significant loss to the market value of your company. Unfortunately, most companies have not done their homework in quantifying the valuation of their IP, and therefore do not have risk quantified. Using valuation and risk models based on likelyhood of loss must be done to determine the best controls.

Loss through Attrition
IT Security controls that can minimize the loss of IP through attrition. Users should only have access to what they need to accomplish their work. Establishing and developing a culture and technical controls that enables the Least Privilege Access method, LPA, is the single most effective way to minimize this risk. If a user does not have access to sensitive information they do not need, they cannot take it with them when they leave the organization.

Theft
External threats against theft are weak security perimeters, inadequate controls on content submission to externally facing websites. See warning from UK officials here.

Insider threats are much harder to deal with, and is occuring more frequently than what has been the case in the past. This has a direct correlation to the hardening of the perimeter surrounding companies IT infrastructure and the change from hacking being a past time for technically savvy individuals to individuals with a financial motiv. This threat should be mitigated for by implementing better human resource programs and applying the principal of least privilege access

Technical Controls and Least Privilege Access
LPA on the other hand is difficult to use in practice. It is really hard to keep up on what users need, and if too restrictive, collaboration and productivity suffers. Roles based access can alleviate some of these problems, and new advances in user management makes it easier. For example Microsoft’s Active Directory ™allows for easier organization of users in their respective roles. However, it does not get you the last mile towards true LPA. In the end, users who create sensitive information is the one’s who have to decide on what needs to be published, and to whom. In today’s environments, this information lives in structured repositories such as data bases and management systesm, and as unstructured data such as word documents, spreadsheets, presentations etc. Unstructured information is the hardest to place controls around, but you can use classification schemes to mitigate the risk. Unfortunately, Least Privilege Access is too complex of a solution to be discussed within a paragraph, so I will discuss LPA separately in a later article.
Sensitive information Risk, how to quantify
A financial risk analysis helps business decision makers to make the right choice for information security solutions based on internal risks, industry data, cost of the solution and return on the investment (ROI). This framework is used to evaluate current and future risks to loss of sensitive information in an organization. The risk assessment framework should be used to determine the legal, financial and business risk exposure of an organization regarding their handling of digitized sensitive data. The assessment would measure the legal liability, potential financial losses against the cost of implementing controls. A proper financial risk assessment would give ROI and NPV predictions based on actual findings, trends, projected success rate of the controls and mitigations. This is achieved by using Monte Carlo simulations based on internal and external data sets. ROI will be based on Annualized Loss Expectancy (ALE) with current controls and ALE with new controls with the costs associated with the new controls.

Risk is inherent in any business undertaking. Businesses continuously manage risk at all levels of the organization. How the risk is managed differs from company to company, and is often based on organizational culture, the maturity of the organization, and how regulated the industry is. Financial risk analysis is the norm for any larger company irrespective of the industry they operate in. Their IT organizations on the other hand are more often than not fully utilizing the potential of using a financial risk analysis approach to IT risk management. Risk is often determined by experts in IT security based on their domain knowledge. However, many IT security experts are not fully looking at the business impact when they make their determination of what risks to accept, reduce, or transfer.

Friday, November 17, 2006

Sensitive information is becoming one of the key areas for organizations to protect. Sensitive information includes personal information, such as customer data, personnel data, health information, financial information, credit card information, intellectual property etc. Most of this information is now stored electronically, and breaches occur often. See for example this article in computerworld. This problem has traditionally been solved by implementing firewalls and other controls. These controls can only solve parts of the problem. Look for example at the loss of credit card data from the security vendor Guidant’s customers . Data loss happens through external breaches such as hacks, and internal theft or misuse.

Sensitive data could be placed into four major groups, Personally Identifiable Information, PII, Intellectual Property, IP, Financial Information, and Business Intelligence. PII could consist of name, social security number, credit information, health information etc. Health information is usually described as Personal Health Information, PHI. IP is broken into five groups, trade mark, trade secrets, industrial secrets, patents, and copy right.
Loss of this type of data can have serious financial and legal implications if it is lost. If customer data is lost, the losses can be in real losses trying to recover the information, fines, legal cost, opportunity cost, loss of goodwill and customers. This is something that keeps business managers up at night worrying.

In the coming weeks and months, I will discuss:
Risk methodology to identify the risk exposure of an organization
Legal risk, financial risk
Key concerns of an organization
Governance and sensitive data
How to conduct a proof of concept
Solutions evaluations
Necessary additions for an enterprise
How to tie it all together
How it all looks like in production

Olav

Sunday, November 12, 2006


My name is Olav Opedal, and I work with protecting sensitive data for Microsoft, at the information security group.

This blog will discuss problems and solutions used to solve the unstructured sensitive data problem found in today's corporations. All opinions are my own, and not those of my employer or any other organization.












Terms of Use and disclaimers:

All posts are © their respective author. All original content may be quoted, provided a link to the site appears with the quote.

In exchange for access to this site, you agree not to sue the owner or authors of this site. Information obtained on or through this site is not intended to be, and in no way should be construed as, legal advice or counsel. This site assumes no responsibility for the accuracy of information provided by other authors. Likewise, other authors assume no responsibility for the accuracy of information provided by others.

We make no warranty regarding availability or accessibility to this site.

THE POSTINGS ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS REGARDING ANY AND ALL POSTINGS ON THIS SITE.

I am not responsible for the comments, writings and links left by others in the comments section. All email will be considered for publication. Use of this site indicates acceptance of these terms.