ATOMISATION: THE CROWN JEWELS OF THE IDEAL CYBER SECURITY MODEL

Transcription

1 ATOMISATION: THE CROWN JEWELS OF THE IDEAL CYBER SECURITY MODEL INSTEAD OF FOCUSING SOLELY ON MAKING INFORMATION DIFFICULT TO STEAL, INFORMATION SECURITY SHOULD FOCUS ON MEASURES THAT MAKE IT DIFFICULT TO USE.

2 Keeping your diamond and sapphire tiara and necklace in a bank vault may be a great way to reduce the security risk but it does create a bit of an availability issue. The same is true of Information Security. There is an inevitable tension between security and accessibility; measures aimed at protecting data from unauthorised access invariably make life harder for legitimate users. Conquering the availability issue Therefore, instead of focusing solely on making information difficult to steal, information security engages measures that make it difficult to use, by turning it into something that has little or no value to the thief. It achieves this by using techniques such as encryption, tokenisation, anonymisation or pseudonymisation. To return to the jewellery metaphor, it creates a paste copy of the necklace, thereby giving the owner the benefit of wearing a beautiful piece of jewellery, while creating a situation in which a theft will result in little loss to the owner and little benefit to the thief: an ideal solution that has worked effectively for hundreds, if not thousands, of years. The principle of atomisation My view, however, is that this approach to information security has a limited lifespan. Rapidly increasing processing capabilities and the exploding volumes of publicly available Big Data render the risk of de-identification of so-called anonymised and pseudonymised data increasingly probable. Meanwhile the rapid increase in processing speed and capacity, and the ever-present risk of theft or prediction of passwords, which are increasingly recycled by their harassed owners, will eventually overwhelm encryption-based security measures. I would therefore suggest that the most important component of a cyber security model for the future is to find a new approach, and I propose that we start with the principle of atomisation both of the data itself and of the security solution. IT IS SAID THAT 90 PERCENT OF THE DATA IN THE WORLD WAS CREATED IN THE PAST TWO YEARS IT S ALSO MORE VARIED. 2

3 Unlocking the DNA behind your data But what if we remove access from the equation? What if the data itself could do things without the need for it to be accessed? What if, before being put into a data pool, each item of data could be programmed to perform only certain specific functions, to behave in pre-determined ways, to fall asleep and wake up only when duty called, and even to die when its useful lifespan had passed. What if each item of data, like an organic cell, had DNA a string of instructions or genes that gave it specific abilities but also placed a limit on those abilities that enabled it to live in a certain atmosphere but perish in another? The complexity of the DNA (which could range from that of a single-cell organism to that of a human being) in a given piece or set of data could be determined by an algorithm-based assessment of its value and vulnerability. Each would have its own, internally programmed security solution reflecting its profile in terms of the purpose and value to the legitimate stakeholders and its vulnerability, measured by its value to potential attackers. This is atomisation. Data ain t what it used to be I am not suggesting that I have the skills to develop this next-generation cyber security model, but would very much like to set down the challenge for those who do. We have to start by waking up to the fact that data ain t what it used to be. It s not just that there is a lot more of it it is said that 90 percent of the data in the world was created in the past two years it s also more varied. The principal reason for this proposed paradigm shift is undoubtedly the relatively recent acceleration in the rate of change in every aspect of data volume, variety and velocity (the so-called 3 v s) harnessed to the increasing rate of data collection, storage, processing and analytical capabilities. There is nothing to indicate a deceleration, let alone a decline, in any of these growth factors in the foreseeable future. 3

4 A new approach in tune with life s mod cons We are already living in a seemingly futuristic environment, in which the technology already exists for us to be woken by an alarm at a time calculated by referring to our first diary appointment, the distance to the appointment, mode of travel, transport updates and whether the car (which does not require a driver) needs to be refuelled en route. The central heating can switch to stand-by when the last person leaves the house and on again when the first returning member of the family gets to within half an hour of home, using mobile location tracking. Our fridges will soon place online orders based on what s running out, the weather forecast and school holidays. Conclusion In short, everything is different now. Everything. So the ultimate goal for security, in my opinion, must be to take a totally different approach that is not hampered by the natural tension between prevention and enablement and the permanent risk posed by access that if the good guys can get to the data, so can the bad guys. This is why I believe efforts should be focused on a new approach, and that the solution may lie in atomisation. 4

5 THE DIGITAL This is from The digital crossroads edition of SLANT. For more, please visit: kpmgslant.co.uk The information contained herein, is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information, without appropriate professional advice after a thorough examination of the particular situation KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. 5