Shaken but not stirred – Sony Pictures

anonymous___power_to_the_people__by_alleyismine-d64q904It’s been a chilling experience for Sony Pictures, and a little surreal for those observing. It could be one of their movies….

Bruce Schneier has some thoughts. The hacking incident has shocked many, although any of us in information security may not be particularly surprised.

After many years in information security I am continually disappointed by the lack of focus there is in securing an organisations information assets. This includes intellectual property (IP), and anything information that needs to be protected in generating IP. The focus on being ‘compliant’ and finding ways to get that tick-box without really being really serious about doing what is right, is worrying. I wrote a post in April this year that dives into this subject.

Of course if an organisation is not serious about protecting its IP, how can you expect it to protect your personal information, as employees, customers and partners? The lack of measures taken to secure employee personal information brings home the fact that when it comes to securing our personal data, and anything we generate, i.e. digital footprint, it is up to us all individually to take control. It seems that we can’t trust anyone else…

But how is this possible? Well take a look at Lequinox, they have turned the identity paradigm upside-down. See if you can get your head around this way of thinking? They are empowering the individual, each one of us is to take control over what belongs to us.  You control (and legally own) your digital identity and your digital footprint, and every identity in the world controls their own identity.  It is the Lequinox technology with its cryptographic black box of magic that makes this possible. If you understand this, you will see that in the future, potentially it is you that is in control…

I’ve been digging around in my archives and found something that has sort of been lost. There is the traditional security triad, of Confidentiality, Integrity, Aviability (CIA). Which has also been revised to the following, at least 8 years ago. I found this on Bruce Schneier’s blog anyhow.

Authentication (who are you)
Authorization (what are you allowed to do)
Availability (is the data accessible)
Authenticity (is the data intact)

Also was added Admissibility because it was deemed that “this model is no longer sufficient because it does not include asserting the trustworthiness of the endpoint device from which a (remote) user will authenticate and subsequently access data. Network admission and endpoint control are needed to determine that the device is free of malware (esp. key loggers) before you even accept a keystroke from a user”.

I have been thinking a little. This keeping to 5 ‘A’s makes understanding this not straightforward. If we were to look at these again… the first 2 are to do with the identifying party, the next 2 are to do with the data, and the final one is to do with the endpoint. The first 3 ‘A’s I feel comfortable with, the last 2 feel like a workaround to keep 5 ‘A’s… hey the marketing guys would be happy with this 😉

I’ve changed Authenticity to what it was originally in the CIA triad, Integrity, and the last one to Trust, as this is basically what it is all about, do you trust the endpoint device.

Authentication (who are you)
Authorization (what are you allowed to do)
Availability (is the data accessible)
Integrity (is the data intact)
Trust (is the endpoint trusted)

So that gives us AAAIT if we go from the identity to the endpoint, or TIAAA from the endpoint to the identity.. well marketing wouldn’t like this at all, but I like it and I think it’s easy to remember 😀