Identifying the Value of Informational Assets Before You Move Them to the Cloud
- 1. Identifying the Value of Informational Assets Before You Move Them to the Cloud Jason Rader Chief Security Strategist RSA, the Security Division of EMC © Copyright 2013 EMC Corporation. All rights reserved. 1
- 2. Roadmap Information Disclaimer EMC makes no representation and undertakes no obligations with regard to product planning information, anticipated product characteristics, performance specifications, or anticipated release dates (collectively, “Roadmap Information”). Roadmap Information is provided by EMC as an accommodation to the recipient solely for purposes of discussion and without intending to be bound thereby. Roadmap information is EMC Restricted Confidential and is provided under the terms, conditions and restrictions defined in the EMC NonDisclosure Agreement in place with your organization. © Copyright 2013 EMC Corporation. All rights reserved. 2
- 3. How do we value information? © Copyright 2013 EMC Corporation. All rights reserved. 3
- 4. Bits vs Bits On one hand, we have bits of data On the other, we have MANY “bits” of money © Copyright 2013 EMC Corporation. All rights reserved. 4
- 5. What’s the Conversion Rate? 10 Bits = €10? 1 Gigabit = £1,000? 1 Byte = 2 bits? Where is this rate? How do I use it? – Doesn’t exist! – Too many factors affect it to map globally. © Copyright 2013 EMC Corporation. All rights reserved. 5
- 6. A Scholar’s Definition “Information value arises as the difference between a decision maker’s payoff in the absence of information relative to what can be obtained in its presence.” This works for theft, but what about copy? – China/Mr. Pibb Problem – Once copied, is it a race to the bottom? Banker, R. D., & Kauffman, R. J. (2004). The evolution of research on information systems: A fiftieth-year survey of the literature in management science (Vol. 50, pp. 281-298): INFORMS: Institute for Operations Research. © Copyright 2013 EMC Corporation. All rights reserved. 6
- 7. How do we classify info today? © Copyright 2013 EMC Corporation. All rights reserved. 7
- 8. Why is information classification broken? Typical classification systems are problematic – Lack definition (what constitutes info of this kind?) – And automation (teach systems to handle) – Don’t address individual data value (is a vault required?) © Copyright 2013 EMC Corporation. All rights reserved. 8
- 9. Four Dumb* Classification Schemes Structuralist (Focusing on regulatory compliance) Realist (Stuff we care about, stuff we don’t) Broker (risk-based, three tiers, soft chewy middle) Striver (Everyone hates this guy, 3+ tiers, highly structured, opportunities for automation) Information Classification: An Essential Security Thing You're (Still) Not Doing, Trent Henry, Gartner © Copyright 2013 EMC Corporation. All rights reserved. 9
- 10. Opportunities for Attack Attackers and companies never value data the same. There are reasons for this: – The data itself isn’t valuable without the knowledge/hardware to monetize it – Secondary/unused business data is ignored – Differing interpretation of value lifecycle © Copyright 2013 EMC Corporation. All rights reserved. 11
- 11. How do we identify these opportunities? The value of information to us (Vc) varies widely As does the payoff for an adversary (Pa) Where those differ, we have opportunity (O) – This could also be described as inefficiency This opportunity can be expressed as: O = Vc - Pa © Copyright 2013 EMC Corporation. All rights reserved. 12
- 12. How do we identify these opportunities? O = Vc - Pa Positive values of O suggest we know and understand the value, and attackers cannot monetize Negative values of O suggest we have high risk data that attackers want, but we devalue Small values of O indicate matched intent Large values of O indicate inefficiency © Copyright 2013 EMC Corporation. All rights reserved. 13
- 13. Examples of how this works: O = Vc - Pa Credit Card Information, 30m HQ Numbers – Low value to company, transactions settled – HIGH payoff to adversary ($1/card = $30m) – Hugely negative Opportunity value Manufacturing process for IP, control SC – Payoff is low to adversary due to supply chain – If high spend on security, could be reallocated to other areas. © Copyright 2013 EMC Corporation. All rights reserved. 14
- 14. The Value of Information Over Time Max Value Value Area under this curve = money for information owner Time © Copyright 2013 EMC Corporation. All rights reserved. Information eventually becomes a liability 15
- 15. Events Occur, changes the curve Max Value Value Information is now copied, breach occurs Time © Copyright 2013 EMC Corporation. All rights reserved. The loot becomes divided among holders. 16
- 16. What’s interesting about these curves? This one is a sample, but somewhat representative Curve notes: – – – – Each ACTOR has their own curve Curves can be steeper or flatter Curves can converge/diverge with actor action Curves only represent value for the ACTOR (i.e., unrealized value may not be represented) – Eventually, information becomes a liability – Impending threat mirrors value curve – Think about a zero day exploit on its own curve © Copyright 2013 EMC Corporation. All rights reserved. 17
- 17. Beginning to translate these curves Information’s value varies over time – We need to consider malicious actors when planning information security defenses – Blanket controls cause inefficiency When curves converge/diverge… – Values can dramatically consolidate/divide Curves represent potential value to the actor – Pent up value may exist without realization © Copyright 2013 EMC Corporation. All rights reserved. 18
- 18. We need a new model Minimum model requirements: – Information grouped by value ▪ To ME ▪ To Competitor/Military ▪ Only if LOST – Address information value over time ▪ Information changes in value over time ▪ Usually depreciating, some more rapidly than others – Reflect # of actors and motivation – Reflect change in motivation based on payoff ▪ Market forces can dramatically alter this ▪ Large data stores are more attractive than small ones © Copyright 2013 EMC Corporation. All rights reserved. 19
- 19. Moreover: The model needs to be simple No industry jargon No dictionary required Not dozens of pages © Copyright 2013 EMC Corporation. All rights reserved. 20
- 20. Simple, Yet flexible Must be able to adjust with value changes Must rely on accurate inputs – – – – – – Numbers of actors Projected payoffs with data theft Strength of perimeter defenses Number of business processes using the data Amount of data sprawl Account for amount of data as a change in payoff Must be able to affect security posture 21 © Copyright 2013 EMC Corporation. All rights reserved. 21
- 21. How SHOULD we view the world? Secret Sauce Intellectual Property Software Vuln DB Corp Strategy Crown Jewels Easily Transferrable IP Actionable IP Encryption Keys COMPINT Defense Information © Copyright 2013 EMC Corporation. All rights reserved. Customer Analytics IT Configs Biz Processes Valuable to me Derivative Data Analytics for Sale Medical Records Valuable to Competitors or Military Valuable if Lost CC Data PII/PHI Data Unused Biz Data Disinformation Old Source Code Old IP Old/Retired Encryption Keys 22
- 22. The Model Value to You Value to Comp. Value if Lost 1 50 2.3B* Y N N Customer Analytics IT Configs Business Processes N Intellectual Property Secret Sauce Software Vuln DB Corp Strategy Y? Old Source Code Old IP (where new IP is derived) Old encryption keys Y N Y Y © Copyright 2013 EMC Corporation. All rights reserved. Examples Breach Prob. Biz Impact Low A/I Med C–Delayed Risk A/I Immediate ACTION Number of Potential Actors Med C/I Secured, but not vaulted Protect (Vault) C: Destroy I: Secure Archive 23
- 23. The Model (part 2) Value to You 1 N Value to Comp. Value if Lost 50 2.3B* N Examples Biz Impact ACTION Number of Potential Actors Y Credit Card Numbers PII/PHI Unused Biz Data Low (High Impact) C High C Y N Y Sec. Data Analytics (revenue) Medical Records High roller customers Proprietary Algorithms Financial Results Y Y Y Crown Jewels Easily transferrable IP © Copyright 2013 EMC Corporation. All rights reserved. Breach Prob. High (# Actors) C Outsource Destroy Obfuscate Protect IP (Vault) Secure Data Protect (Vault) 24
- 24. Payoff The Relevance of Data Mass Amount of data © Copyright 2013 EMC Corporation. All rights reserved. 25
- 25. Combating Risk from Data Growth Reduce data stores – Truncation – De-value options (tokens) – DESTROY Reduce the effective size – 1M records / 10 keys = 100K recs! – Multiple algorithms © Copyright 2013 EMC Corporation. All rights reserved. 26
- 26. How to apply the model Look at the kinds of data your business controls – – – – Try to define what it is, then relate it to the model Be sure to find information NOT IN USE Understand flow and sprawl of data Look for large values of O Add values where you can – Valuing information is personal – Use your own data – Don’t rely on external sources to define data value Remember CONFIDENCE factor! Take Action Per the Model! © Copyright 2013 EMC Corporation. All rights reserved. 27