Thursday, May 10, 2007

Infosec, what's the fuss?


Drazen Drazic said...

If I read that right, the bold circles mean defence. Okay then... lets start at the inner circle...most organisations don't. Secure the system! Easy. Called hardening.

Most organisations don't. They like to think the outer circle will nullify having to do anything on the inner circle.

Now, also, most organisations also do the outer circle badly by forgetting that they have the inner circle...yeah, sounds stupid to me too but hey, who'll know?!?! :-)

Easy. Do I get a prize for that?

Donal said...

The prize is that of enlightenment ;)

I made the diagram to represent a simple 'state' diagram akin to a Finite State Automata that many would have seen in Computer Science.

There is a commentary that goes with it which I have yet to post.

I think that Dan Geer's old paper on the Shrinking Perimeter sums it up nicely making the case for object level protection and securing the data's point of utility. We need more reductionist thinking in the field, that starts with a data blob or flow and appraises it fully.

I believe that until we can assign a financial value to a piece of data over it's life cycle, we are not going to make any great strides.

The image is actually a link to a great paper by an NSA guy summing up the 'assurance' and 'accountability' issues.