Information and security – the basics haven’t changed

We still use the term Information Technology, or just IT, but what is more complex – managing information or managing technology?  In my estimation, technology is now just a commodity, and managing “Technology” is not rocket science. Information, or more directly managing, securing, and controlling Information, is becoming increasingly more complex.

Going back before the computer age, enterprises operated without much automated technology, but they did use information. Getting back to basics, there have always been business processes, and every business process is in some way tied to information.  Business, or the enterprise has always been in the simplest of terms, tied to business processes that drive services provided to clients, employees, and other stakeholders. No matter how you look at it, every business process is tied to information in one way or another.

The banking industry is a great example to look at processes and information, plus there are are some very familiar themes. The “what” part of business (banking) processes have been fairly constant, but the “how” has changed.

I know an individual that worked at the Toronto Dominion Bank from 1949 to 1989, and during those years the “what” part of banking didn’t see much change. What were standard business processes in 1949 were still standard business processes in 1989.  However during those 40 years the way those business processes were managed saw a revolution. Over his years banking processes essentially remained the same, but “how” they did things changed many times. The other reason  to use banking as an example is that security practices can also be examined. Just as today, Confidentiality, (data) Integrity, and Availability are a part of banking. Financial information is privileged information, and the CIA triad was the same in 1949 as it is today.

In 1949, a bank was a single entity, and all client information was held at the branch level. It really was a standalone operation. Client files, ledgers and accounting data was all recorded on paper, and that data (information) was stored in the vault.

As an example, when Jane Doe went in to the bank to make a deposit the teller retrieved her ledger (file) from the vault, recorded the updated information, and the ledger was returned to the vault after the deposit was recorded.  The business process was recording a deposit, and it was directly linked with information about the deposit and the client. If the teller was unable to retrieve Jane Doe’s information, the business process could not be completed. Information, and access to information is, and was, needed for employees to do their jobs, and to provide services to clients.

Humans make mistakes, so a security control was needed. In the days before computers, audits provided detective, and access controls.

The bank vault was in itself a technology. There were several controls that applied to the vault.  One restriction was time: the vault could only be unlocked during a specific window of time, so I would call that a technical control. The combination lock on vault was such that it could not be unlocked by a single individual.  No one person knew the combination (split custody), and as vaults were upgraded, they also recorded when the combinations were entered, when the door was opened, and when the door was closed.  That sounds a lot like logging, and it was clearly a detective control.

Just as today, “Availability” was a matter of great importance.  In a small rural branch, while not a common occurrence, there were days where a key person was unavailable.  When that happened, the vault could not be opened, and as such, the branch could not serve its clients.

Having the information stored locally pretty much restricted the client to his or her own branch.   Consider this scenario.  Jane Doe banked in Smalltown, but found herself going to Edmonton, and she needed to get some cash. The branch in Edmonton would need to phone her local branch in Smalltown, get a balance, dispense the cash, and then Smalltown would update Jane Doe’s ledger accordingly. This introduced the potential for human error, so again auditing was the process control.

Banks of course also provided much more than just depositing and withdrawing money.  They also offered loans, and other investments. Before computers, again paper held the critical information.

In the banking industry everything ultimately is tied to information about the individual, and information about their financial assets.

I don’t know anything about banking, but I know a bit about information security.  After spending a few hours talking with the banker, we both came to realize that he knew a lot more about information security than he thought. It really came down to language. He just thought in terms of process and policy. The semantic construct of “Information Security Management” didn’t exist is years passed. We were speaking about the exact same things, but we used different words.

So let’s take a look at some of the security issues that needed to be addressed.

Confidentiality makes for a good start. Employees were responsible for following policies and procedures ensuring confidentiality, and the branch manager was accountable for enforcing those policies and procedures. Just as today, confidentiality was at risk because not everyone follows the rules, and it is impossible to monitor every employee.

Consider this example. A large loan application for Big Farm Corp may be a task that involves input from multiple employees. While there may be a formal procedure for checking documents in and out of a file, Employee Fred needs just some background information, so he pulls the document, makes a photocopy, and then brings it back to his desk.  Fred decides to go home early so he puts the copy in his briefcase and heads home. That was yesterday’s version of a USB key.

Fred might lose his briefcase, and the information has been compromised.

Fred has other bad habits too. Sometimes he may take the whole file without checking it out of the vault, and it ends up in a pile on his desk. Weeks or months may go by, and he forgets the whole matter.  Two months later Alice needs the file, and it is missing from the vault.  Fred doesn’t remember, and no one else has a clue either.  Once again Confidentiality is compromised, Availability is compromised, and possibly (data) Integrity.

Alice can’t find Big Farm Corp’s file so she creates a new file. Hopefully there is enough information that she can recreate everything, but Murphy’s Law is that it won’t be an exact copy of the original.  Once that happens, (data) Integrity has been compromised.

Problems can always get worse. Weeks pass, and Fred is asked to add some information to Big Farm Corp’s file. The pile on his desk has been shuffled around, and he finds the original file.  He doesn’t remember Alice looking for the file, and he is blissfully unaware that Alice has recreated the missing file, and that she has added information to that file. Fred adds the information to the file on his desk, and since he didn’t check it out in the first place, he simply returns it to the vault.

A few months may pass, and the auditors show up.  They start going through documents, and when they get to Big Farm Corp’s folder, they find two files. Now which one contains the accurate information?  In this case, (data) Integrity has been completely compromised.

Information Management and Security followed the same principles of Confidentiality, (data) Integrity, and Availability. The three have to be balanced.

Now in 1949, or even 1959, a small rural branch may have had 200, 400, or 600 clients. The bigger the branch the bigger the headache, but human effort resolved the issue and Confidentiality, (data) Integrity, and Availability were ultimately brought back in to balance.

At some point in time, the number of active client accounts will exceed the capacity of human efforts.  The technology called “pen, paper, and structured filing system” was eventually replaced by computers. The “How” evolved and changed, but the security risks, and core processes remained largely unchanged.

Here is the core issue.  The more Information you have, the more complex it is to manage. Ten years ago storage was constrained by cost. Today it is quite feasible to store unlimited amounts of information, for indefinite periods of time. If we struggled to manage and secure gigabytes of information, how much more difficult will it be to manage and secure petabytes of information?

It gets even more complex. Just about every business has some sort of loyalty program, and it is used to collect more information. This is the basis of Business Intelligence, and it is leading to an information centric enterprise.

We still have the basics of Confidentiality, (data) Integrity, and Availability. However we must now consider other questions. How much information is too much?  What are the ethical limits of using information that has been collected?  What are the privacy concerns? How do clients/individuals control their own information?  What rules have to be followed allowing clients/individuals access to their information?  The list just goes on.

The basics of Information, and Information Management Security really haven’t changed, but the complexities have. Back to the beginning, Technology isn’t rocket science, and it is manageable. Information on the other hand is now the bigger challenge. The amount of Information gathered daily within organizations is staggering, and the rate of which that Information is gathered is also increasing daily.  We can no longer just be be IT Professionals. We have passed the point where we must be Information Management Professionals first, and Technology Professionals second.







Leave a Reply

Your email address will not be published. Required fields are marked *