(T) Although most of us have been exposed to the basis of computation theory through the Turing Machine, fewer of us probably remembered that Alan Turing was a code breaker during World War II. So this year at the RSA 2008 Conference, Turing because of his work in cryptoanalysis was the inspiration for the information security professionals attending the conference.

Every year at RSA, I have a feeling that information security is not changing and at the same time somewhat changing. Not changing because the fundamental principles of information security are over and over again the same.

Following are some “Simple Ideas from Simple Minds” about what is not changing in information security. Just some obvious but sometimes forgotten thoughts about managing information security in any organization. The simple thoughts that you will hear every year at RSA.

What Are The Assets That You Need to Secure?

Every business relies on digital information and transactions. The art of information security starts with understanding the information assets that are the engines of growth and profits for any business. From there, information security aims to focus the investments in people and tools to secure efficiently those assets.

Establish the Threat Model for Your Critical Assets!

For a FedEx or any shipping and logistics business what is critical for the business operations are the schedules of the aircraft and trucks. Any disruption to those schedules and FedEx cannot ship any package. For a DuPont or any biotech company, most of the value of the business lies in its patents and its intellectual property. Any attempt to steal those patents and the stock of DuPont goes down. For Renaissance technologies or any other hedge fund, profits depend on timely executed transactions. Any delay in buying or selling derivatives or stocks will result in millions of dollars loss.

Data Are the Keys to the Kingdom!

In finance, we learned that cash is king. In information security, data is king. The value of a digital asset lies in its data. Securing digital assets is about securing the overall data lifecycle. Data are created, used, at rest or in transit. Data transits through the network infrastructure. And, data is accessed and manipulated by the users. Security measures need to be in place at each stage.

Security is a Painful Process that Users Do Not Like!

Users do not like security since security constraints their freedom. In a nutshell, security is about protecting and monitoring the I.T. infrastructure while controlling the users accessing the digital assets and communicating through the network infrastructure. Preventing means “putting locks and gates around the house”; monitoring means “looking what is going on”; and controlling means “who is doing what?”.

Since there is not a single security product that will do the job, infrastructure security must be designed with multiple security layers: each one complementing the other one; each one backing up the previous one.

Security must be Practical and Simple

Whenever an insecure configuration can be chosen, it inevitably will be. Never assume that systems and networks will perform the way you expect. And the risks never lie in what application and system software shall do but what they should not do.

Only give the least privilege to users and applications that are only the privileges that they need. Find your weakest link and from there, secure your next weakest link. Make sure that you have several central points in your network where you can monitor all inbound and outbound traffic.

And always remember that the more complex is a system or a network, the more difficult it is to secure. Keep it simple!

Note: Just for fun, the concepts of the Turing Machine:

Copyright © 2005-2008 by Serge-Paul Carrasco. All rights reserved.
Contact Us: asvinsider at gmail dot com.