This is another follow-on from my "Protect the Data" Idiot! post. If you think about the "protect the data" mindset, it's clearly a response to the sorts of data loss events that involve "records" -- credit card records, Personally Identifiable Information (PII), and the like. In fact, there's an entire "product line" built around this problem: data loss prevention. I wrote about DLP earlier this year in response to the rebranding effort taken by vendors to make whatever they sold part of the DLP "solution."
What's interesting to me about "protect the data" in this scenario is this: "what data?" Is your purpose in life to keep PII or other records in a database? That's clearly a big problem, but it doesn't encompass the whole security problem. What about the following?
- Credentials used to access systems. For example, intruders often compromise service accounts that have wide-ranging access to enterprise systems. Those credentials can be retrieved from many locations. How do you protect those?
- Systems that don't house PII or other records, but do serve critical functions. Your PBX, HVAC control system, routers, other network middleboxes, etc., are all important. Try accessing "data" without those devices working.
- Data provided by others. The enterprise isn't just a data sink. Users make decisions and work by relying on data provided by others. Who or what protects that data?
Those are three examples. If you spend time thinking about the problem you can probably identify many other forms of data that are outside the "DLP" umbrella, and outside the "protect the data" umbrella.
0 komentar:
Posting Komentar