Duncan hine input3_irm_and_outsourcing
0 likes321 views
The document discusses several issues related to information security risk management with data aggregation in the cloud. It notes that more data is being collected and combined from various sources, increasing privacy and security risks. As data sets grow extremely large, the potential damage from loss or misuse also increases greatly. Proper privacy and security controls need to be applied to the cloud to manage these emerging risks from large-scale data aggregation. Traditional risk management practices can still apply but need to be adapted to the new threat landscape.
Duncan hine input3_irm_and_outsourcing
- 1. Information Security Risk Management IT operation outsourcing The Cloud and Data aggregation
- 2. More data is collected, storage is ‘free’ Data sets are connected and correlated for many reasons They are combined with open source data sets – credit referencing = identity exists Data sets are shared internationally There is a new focus on privacy people are sensitive to this issue Privacy sensitive information is valuable and can easily be sold if stolen
- 3. Single records unclassified or low classification, or privacy sensitive only As set grows 10, 100, 1,000, 10,000, 1m, 10m......100m something changes but traditional classification did not change Changes for two reasons damage caused by large data loss is clearly greater – resign, resign, resign...... Acquisition of large data sets opens up opportunities for new insights with dangerous consequences
- 5. Forgery and alteration does not work Better to apply for a real one in a false identity All identities checked on application for ‘social footprint’ so must take from a real person May already be holder or past holder or known to agency - fraud will be detected Need to know in advance use two methods With target cooperation and without Access to large data sets reduces risks
- 6. On line genealogy and credit referencing Electoral rolls Travel data sets (if you travel you already have a passport) Vulnerable adult data sets addicts, long term carers Lists of professionals with issues All increase the chance of success and reduce the number of simultaneous applications that need to be made
- 7. Standard method was to adopt the identity of a dead child born about the same time as the applicant who would not have a passport Duplicate birth certificate obtained (a legal right in UK) Application will not work now as deaths checked, but for various reasons records not complete
- 8. Monitor open source deaths in online local newspapers Find a soldier who served abroad, 20-40 yrs older than target Use on line regimental histories to establish when served overseas and what countries Aim to identify a country where soldier was around the time the applicant was born with weak record system Forge a birth certificate for that country Apply as the illegitimate child of the dead soldier – it was always kept a secret
- 9. Using a cloud makes aggregation happen inherently Cloud needs to be set up so penetration is limited in containers to manage risk Encryption at rest looks like the answer but it introduces many other problems These include key management, escrow, and penetration of key provider RSA issue a good example It’s not just about accessing the data but also the ability to combine big data sets WP is a good example
- 10. Many controls will be traditional Passport special control process was to cost Eu 10m By taking two highly vetted people from a pool of 24 at random and using a four eyes process same/better protection was delivered at a fraction of cost To break this have to corrupt all 24 people Basic training and awareness more important than ever
- 11. Traditional approach to risk management is still valid for the cloud but the threats and risks are different Controls and mitigations are similar but applied differently There is a good opportunity, the risks are greater if they are not well engineered but they can be ! Risk management must be done properly by specialists and asset owners together