So I raised this issue at the meeting … Perhaps we are spending far too much on end-user security and not nearly enough on securing the admins. After all, every incremental dollar spent on admin security might return 100 times that of spending the same dollars on internal end-user security. I had some side discussions with attendees at the meeting, such as with my old friend Pat Pryor, on trying to come up with technologies that could isolate admins from sensitive data and still allow them to do their job. One response was that such capabilities need to be built into applications and platforms from the outset.
On that score, I came across an article about an encryption method developed by IBM. In a June 25, 2009 eWeek.com article, “IBM Discovers Encryption Scheme That Could Improve Cloud Security, Spam Filtering,” writer Brian Prince describes that “An IBM researcher reports having developed a fully homomorphic encryption scheme that allows data to be manipulated without being exposed.”
If such a system could be adapted to the admin/super-user community, we might have something that allows admins to do their jobs but does not give them access to sensitive data. How great would that be?
Popularity: 5%
One Comment
Warren,
When I (and I hope others) present around the report, we mention this bias explicitly. I hope nobody ever told you it was a random sample. Also, it might be worth noting that page four of the report states:
“We would like to reiterate that we make no claim that the findings of this report are representative of all data breaches in all
organizations at all times. These statistics are based solely upon our caseload and any conclusions or inferences we make are
drawn from this sample. Although we believe many of these results to be appropriate for generalization, bias undoubtedly
exists. Even so, there is a wealth of information here and no shortage of valid and clear takeaways. As with any study, readers
will ultimately decide which findings are applicable within their organization. ”
I also work in my presentations to discuss the nature of the threat sources – giving the same reasons you do describing why the results might look like they do. Again, from the report itself:
“It is true that these results are based upon our caseload—which is consumer data-
heavy—and may not be reflective of all data breaches. Perhaps insiders are more apt to target other types of data such as
intellectual property. It is also true that many insider crimes may never be detected, though one would think any breach
causing material harm would eventually be noticed. It is also feasible they are more likely handled internally. ”
I hope that you found the presentation informative. If you’d like, please feel free to drop me an email with any questions you might have. I can’t comment on any specific cases, only on the aggregate data set, of course, but if there’s something you’d like clarification on, I’m happy to help.
yours,
Alex