Oct 11 2009
Richard Bejtlich had to take a couple of minutes yesterday to rant about someone who posted in a forum that we just need to protect the data. Don’t we wish it was that simple? Which form of the data is it we’re trying to protect? At rest, in motion, encrypted, unencrypted, printed out, on your screen, at the POS, on the server, in the database, in the client/customer’s hands etc. etc. ad nauseum. The basic thought from the original commenter was that if we just protect the data itself, none of what’s going on in our network should matter, since the data itself is safe. But as Richard points out, it’s impossible to separate the data from the servers and networks that it exists on, and therefore ‘protecting the data’ just isn’t enough.
Let’s use Heartland Payment Systems as an example: a piece of code on the servers that were processing the cardholder data was compromised and the data was being stolen in the brief time between when it was received over a secure connection and when it was encrypted. Simply protecting the data fails here. There’s no iteration of protect the data that could have possibly worked here. The data had to be in an unencrypted state for a brief time; it was impossible for it to go from the encryption of SSL to another form without existing in an unencrypted form during the process at some point. Which is why the simple maxim of protecting the data itself is always going to break down at some point; in order to be usable, the data is always going to have to be in a vulnerable, unencrypted state at some point. Which is why we will always have the concept of defense in depth in security and why we need overlapping security controls that cover for each other’s weak points.
There’s no one true way to data security. Ask the physical security guys who have centuries of history and lessons to draw from. Every security measure has it’s weakness that will be exploited at some time, no matter how small. There aren’t simple ‘just do X’ answers in our chosen profession, it’s always going to be about making trade-offs between security, usability and resources. Some security philosophies work better than others, but just like security measures themselves, we have to embrace a set of overlapping security philosophies just like we have to have overlapping security measures. Otherwise we’re just fooling ourselves and leaving blind spots for the enemy to exploit.