Currently, there exist “key privacy and data protection laws and regulations across nearly 100 different jurisdictions” globally.1 Compliance with these various statutes may be achieved using any of the many security standards and frameworks that prescribe effective security mechanisms. Yet, security breaches continue, despite multi-million dollar investments in people, processes, and technology. According to Identity Theft Resource Center’s 2016 Data Breach Report, at least 1,093 breaches occurred across various industries in the United States.2
Gaining and maintaining effective compliance is challenging for various reasons, among them, ad-hoc enterprise security programs; lack of highly skilled security professionals; “disruptive technology” that has significantly increased the number of end points; and competing—sometimes conflicting—regulations, standards, and compliance requirements. For instance, FedRAMP and MARS-E 2.0 are both based on NIST 800-53, however, FedRAMP drives implementing cloud security mechanisms but excludes 9 of the control families and their controls from NIST 800-53 Rev4. In contrast, MARS-E 2.0 includes all of the NIST 800-53 Rev4 control families because 8 of the families enable compliance to HIPAA’s data security directive. Furthermore, the HITRUST risk framework is inclusive of NIST 800-53 Rev4 and has additional prescribed implementation of security mechanisms for healthcare organizations. These are situational issues that challenge organizations to design and implement effective, interoperable, and continuously compliant controls.
Effectiveness of Controls
Currently, control, design, and the effectiveness of controls is derived from a single dimension: Is it there, turned on, and configured? Examining additional dimensions such as type, use case, and priority yields a true defense in depth posture:
- Type is defined as preventative, detective, or corrective
- Use case looks at individuals, for example: who you are (your assigned roles and duties), what you need access to, and how you will access it (the device you will use for access)
- Priority is defined as primary, secondary, or tertiary
Effective controls are those that are architected and engineered to address these additional dimensions. Meant to thwart compromise, preventative controls are preferred and are therefore usually considered a primary defense. Even better is when controls are blended—for example, preventative and detective—because the former will prevent exploitation, the latter will provide notification of attempted events. Firewalls, explicit firewall rules, anti-virus solutions, closed routes, and segregation and isolation techniques based on fine-grained access mechanisms are all examples of preventative information security controls. These controls prevent access to infrastructure, technology, and data.
Given that unauthorized access is the critical path of security compromise, one way to approach compliance assurance is to drive security from the perspective of “opportunities for access.”
Access Conduits into the Enterprise
Opportunities for access are conduits that give malicious attackers and unwitting insiders opportunities for compromise. Examples include zero-day exploits of software vulnerabilities, downstream partner breaches, configuration errors, and poor process management. You can identify these conduits by modeling the business using a pace-layering approach; that is, thorough analysis and modeling of your organization’s business model by conducting a series of information modeling activities. The figure below is a representation of a fictitious organization’s business model represented in the Business Model Canvas, an information modeling methodology introduced in the book Business Model Generation.3
The constructs of a business model canvas are rooted in scientific modeling, business modeling, and system information modeling—all driven by logic. The business model canvased is modeled using the following:
- Inputs (This is what we want to do)
- What are our goals and objectives? (Value Proposition)
- Who and where do we need to engage externally? (Key Partners)
- Who are the major internal stakeholders? (Key Resources)
- What are our ongoing expenditures? (Cost Structure)
- Who and what defines our target market? (Customer Segments)
- Activities (This is how we do it)
- How do we support our customers? (Customer Relationships)
- How do we reach our customers? (Channels)
- Outputs (These are the results)
- How is our Value Proposition quantified? (Key Activities)
- Outcomes (This is the value)
- What are the realized investments (Revenue Streams)
Scientific modeling is the rendering of an object’s interoperable components. In this context, an object can be a concept, process, product, or structure. First, modeling conceptualizes the object, enabling qualification of interoperable components and conduits. Next, contextual models quantify the components as an operational system.
Business modeling is the conceptual rendering of an organization’s operations; it is a framework that quantifies value proposition, customers, partners, high-level critical path organizational structure, activities, channels, relationships, cost structure, and revenue streams.
The Value of a Model
Why is this important to information security professionals? An organization’s business model provides you with the blueprint of the organization’s priorities so you can appropriately align your information security program. It’s the first glimpse of the product you must protect, the partners who may traverse your infrastructure, the customers whose data you must protect, along with the various internal stakeholders you must influence to be successful. Overall, however, it also provides a perspective of what type of access your infrastructure must support and how information may be extracted. The business model provides the foundation for rationalized information modeling as one models based on organizational directives.
Modeling from this perspective allows one to influence by introducing information security through organizationally driven models. Well-developed business models are built on a blend of logic that addresses who, what, why, where, when, and how much. Information Security strategies modeled from such a foundation possess the same inherent logic, thereby reducing logic errors or misalignment of information security strategies to organizational objective, goals, and outcomes. Information modeling at its core is a technique for rationalizing and contextualizing a foundational model into a master model for Information Security. The master model provides the impetus for the contextualizing of models that are introduced based on the organization’s situations and circumstances.
An aggregate of models gives birth to systems within systems, all of which quantify interoperable components based on characteristics, conduits, and influences of the business. The foundational business model serves as your check and, with your resulting information, models the resulting balance to maintain continuous alignment through systemic consciousness.
This series is about modeling the business to identify access threats, thereby enabling the application of rationalized multidimensional control to reduce compliance gaps and opportunistic compromise.
If you’re an Information Security leader, consider asking your business leaders (based on the organization’s business model) what they think security professionals should be securing?
If you’re part of the technical staff, based on the business model above, what would you recommend as protections to keep your company’s security and data private? What can you infer regarding regulatory mandates?
In part 2 we’ll look at creating a master model based on business model. The master model is our basis for realizing defense in depth through a multi-dimensional protection strategy.