Identifying the Value of
Informational Assets
Before You Move Them
to the Cloud
Jason Rader
Chief Security Strategist
RSA,...
Roadmap Information Disclaimer
 EMC makes no representation and undertakes no obligations with
regard to product planning...
How do we value information?

© Copyright 2013 EMC Corporation. All rights reserved.

3
Bits vs Bits
 On one hand, we have bits of data

 On the other, we have MANY “bits” of money

© Copyright 2013 EMC Corpo...
What’s the Conversion Rate?
 10 Bits = €10?
 1 Gigabit = £1,000?
 1 Byte = 2 bits?
 Where is this rate? How do I use i...
A Scholar’s Definition
 “Information value arises as the difference between
a decision maker’s payoff in the absence of
i...
How do we classify info today?

© Copyright 2013 EMC Corporation. All rights reserved.

7
Why is information classification broken?
 Typical classification systems
are problematic
– Lack definition (what
constit...
Four Dumb* Classification Schemes
 Structuralist (Focusing on regulatory compliance)
 Realist (Stuff we care about, stuf...
Opportunities for Attack
 Attackers and companies never value data the same.
There are reasons for this:
– The data itsel...
How do we identify these opportunities?
 The value of information to us (Vc) varies widely
 As does the payoff for an ad...
How do we identify these opportunities?

O = Vc - Pa

 Positive values of O suggest we know and understand the
value, and...
Examples of how this works:

O = Vc - Pa

 Credit Card Information, 30m HQ Numbers
– Low value to company, transactions s...
The Value of Information Over Time
Max Value

Value

Area under this curve
= money for
information owner

Time
© Copyright...
Events Occur, changes the curve
Max Value

Value

Information is now
copied, breach occurs

Time
© Copyright 2013 EMC Corp...
What’s interesting about these curves?
 This one is a sample, but somewhat representative
 Curve notes:
–
–
–
–

Each AC...
Beginning to translate these curves
 Information’s value varies over time

– We need to consider malicious actors when pl...
We need a new model
 Minimum model requirements:
– Information grouped by value
▪ To ME
▪ To Competitor/Military
▪ Only i...
Moreover: The model needs to be simple
 No industry jargon
 No dictionary required
 Not dozens of pages

© Copyright 20...
Simple, Yet flexible
 Must be able to adjust with value changes
 Must rely on accurate inputs
–
–
–
–
–
–

Numbers of ac...
How SHOULD we view the world?
Secret Sauce
Intellectual Property
Software Vuln DB
Corp Strategy
Crown Jewels
Easily Transf...
The Model
Value to
You

Value to
Comp.

Value
if Lost

1

50

2.3B*

Y

N

N

Customer Analytics
IT Configs
Business Proce...
The Model (part 2)
Value to
You
1
N

Value to
Comp.

Value
if Lost

50

2.3B*

N

Examples

Biz Impact

ACTION

Number of ...
Payoff

The Relevance of Data Mass

Amount of data
© Copyright 2013 EMC Corporation. All rights reserved.

25
Combating Risk from Data Growth
 Reduce data stores

– Truncation
– De-value options (tokens)
– DESTROY

 Reduce the eff...
How to apply the model
 Look at the kinds of data your business controls
–
–
–
–

Try to define what it is, then relate i...
Identifying the Value of Informational Assets Before You Move Them to the Cloud
Upcoming SlideShare
Loading in …5
×

Identifying the Value of Informational Assets Before You Move Them to the Cloud

1,120 views
893 views

Published on

Identifying and understanding high-value digital assets in the context of the business is critical in assessing what work-loads to move to the cloud. But doing so is difficult without an effective model to help define and classify these assets. This session presents a down-to-earth methodology for identifying assets and understanding their value that you can apply in critical business decisions.


Objective 1: Understand what to look for when identifying valuable information assets.
After this session you will be able to:
Objective 2: Identify critical steps in the process of identifying and understanding digital assets.
Objective 3: Apply asset value when deciding what digital assets to entrust to the cloud.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,120
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Identifying the Value of Informational Assets Before You Move Them to the Cloud

  1. 1. Identifying the Value of Informational Assets Before You Move Them to the Cloud Jason Rader Chief Security Strategist RSA, the Security Division of EMC © Copyright 2013 EMC Corporation. All rights reserved. 1
  2. 2. Roadmap Information Disclaimer  EMC makes no representation and undertakes no obligations with regard to product planning information, anticipated product characteristics, performance specifications, or anticipated release dates (collectively, “Roadmap Information”).  Roadmap Information is provided by EMC as an accommodation to the recipient solely for purposes of discussion and without intending to be bound thereby.  Roadmap information is EMC Restricted Confidential and is provided under the terms, conditions and restrictions defined in the EMC NonDisclosure Agreement in place with your organization. © Copyright 2013 EMC Corporation. All rights reserved. 2
  3. 3. How do we value information? © Copyright 2013 EMC Corporation. All rights reserved. 3
  4. 4. Bits vs Bits  On one hand, we have bits of data  On the other, we have MANY “bits” of money © Copyright 2013 EMC Corporation. All rights reserved. 4
  5. 5. What’s the Conversion Rate?  10 Bits = €10?  1 Gigabit = £1,000?  1 Byte = 2 bits?  Where is this rate? How do I use it? – Doesn’t exist! – Too many factors affect it to map globally. © Copyright 2013 EMC Corporation. All rights reserved. 5
  6. 6. A Scholar’s Definition  “Information value arises as the difference between a decision maker’s payoff in the absence of information relative to what can be obtained in its presence.”  This works for theft, but what about copy? – China/Mr. Pibb Problem – Once copied, is it a race to the bottom? Banker, R. D., & Kauffman, R. J. (2004). The evolution of research on information systems: A fiftieth-year survey of the literature in management science (Vol. 50, pp. 281-298): INFORMS: Institute for Operations Research. © Copyright 2013 EMC Corporation. All rights reserved. 6
  7. 7. How do we classify info today? © Copyright 2013 EMC Corporation. All rights reserved. 7
  8. 8. Why is information classification broken?  Typical classification systems are problematic – Lack definition (what constitutes info of this kind?) – And automation (teach systems to handle) – Don’t address individual data value (is a vault required?) © Copyright 2013 EMC Corporation. All rights reserved. 8
  9. 9. Four Dumb* Classification Schemes  Structuralist (Focusing on regulatory compliance)  Realist (Stuff we care about, stuff we don’t)  Broker (risk-based, three tiers, soft chewy middle)  Striver (Everyone hates this guy, 3+ tiers, highly structured, opportunities for automation) Information Classification: An Essential Security Thing You're (Still) Not Doing, Trent Henry, Gartner © Copyright 2013 EMC Corporation. All rights reserved. 9
  10. 10. Opportunities for Attack  Attackers and companies never value data the same. There are reasons for this: – The data itself isn’t valuable without the knowledge/hardware to monetize it – Secondary/unused business data is ignored – Differing interpretation of value lifecycle © Copyright 2013 EMC Corporation. All rights reserved. 11
  11. 11. How do we identify these opportunities?  The value of information to us (Vc) varies widely  As does the payoff for an adversary (Pa)  Where those differ, we have opportunity (O) – This could also be described as inefficiency  This opportunity can be expressed as: O = Vc - Pa © Copyright 2013 EMC Corporation. All rights reserved. 12
  12. 12. How do we identify these opportunities? O = Vc - Pa  Positive values of O suggest we know and understand the value, and attackers cannot monetize  Negative values of O suggest we have high risk data that attackers want, but we devalue  Small values of O indicate matched intent  Large values of O indicate inefficiency © Copyright 2013 EMC Corporation. All rights reserved. 13
  13. 13. Examples of how this works: O = Vc - Pa  Credit Card Information, 30m HQ Numbers – Low value to company, transactions settled – HIGH payoff to adversary ($1/card = $30m) – Hugely negative Opportunity value  Manufacturing process for IP, control SC – Payoff is low to adversary due to supply chain – If high spend on security, could be reallocated to other areas. © Copyright 2013 EMC Corporation. All rights reserved. 14
  14. 14. The Value of Information Over Time Max Value Value Area under this curve = money for information owner Time © Copyright 2013 EMC Corporation. All rights reserved. Information eventually becomes a liability 15
  15. 15. Events Occur, changes the curve Max Value Value Information is now copied, breach occurs Time © Copyright 2013 EMC Corporation. All rights reserved. The loot becomes divided among holders. 16
  16. 16. What’s interesting about these curves?  This one is a sample, but somewhat representative  Curve notes: – – – – Each ACTOR has their own curve Curves can be steeper or flatter Curves can converge/diverge with actor action Curves only represent value for the ACTOR (i.e., unrealized value may not be represented) – Eventually, information becomes a liability – Impending threat mirrors value curve – Think about a zero day exploit on its own curve © Copyright 2013 EMC Corporation. All rights reserved. 17
  17. 17. Beginning to translate these curves  Information’s value varies over time – We need to consider malicious actors when planning information security defenses – Blanket controls cause inefficiency  When curves converge/diverge… – Values can dramatically consolidate/divide  Curves represent potential value to the actor – Pent up value may exist without realization © Copyright 2013 EMC Corporation. All rights reserved. 18
  18. 18. We need a new model  Minimum model requirements: – Information grouped by value ▪ To ME ▪ To Competitor/Military ▪ Only if LOST – Address information value over time ▪ Information changes in value over time ▪ Usually depreciating, some more rapidly than others – Reflect # of actors and motivation – Reflect change in motivation based on payoff ▪ Market forces can dramatically alter this ▪ Large data stores are more attractive than small ones © Copyright 2013 EMC Corporation. All rights reserved. 19
  19. 19. Moreover: The model needs to be simple  No industry jargon  No dictionary required  Not dozens of pages © Copyright 2013 EMC Corporation. All rights reserved. 20
  20. 20. Simple, Yet flexible  Must be able to adjust with value changes  Must rely on accurate inputs – – – – – – Numbers of actors Projected payoffs with data theft Strength of perimeter defenses Number of business processes using the data Amount of data sprawl Account for amount of data as a change in payoff  Must be able to affect security posture 21 © Copyright 2013 EMC Corporation. All rights reserved. 21
  21. 21. How SHOULD we view the world? Secret Sauce Intellectual Property Software Vuln DB Corp Strategy Crown Jewels Easily Transferrable IP Actionable IP Encryption Keys COMPINT Defense Information © Copyright 2013 EMC Corporation. All rights reserved. Customer Analytics IT Configs Biz Processes Valuable to me Derivative Data Analytics for Sale Medical Records Valuable to Competitors or Military Valuable if Lost CC Data PII/PHI Data Unused Biz Data Disinformation Old Source Code Old IP Old/Retired Encryption Keys 22
  22. 22. The Model Value to You Value to Comp. Value if Lost 1 50 2.3B* Y N N Customer Analytics IT Configs Business Processes N Intellectual Property Secret Sauce Software Vuln DB Corp Strategy Y? Old Source Code Old IP (where new IP is derived) Old encryption keys Y N Y Y © Copyright 2013 EMC Corporation. All rights reserved. Examples Breach Prob. Biz Impact Low A/I Med C–Delayed Risk A/I Immediate ACTION Number of Potential Actors Med C/I Secured, but not vaulted Protect (Vault) C: Destroy I: Secure Archive 23
  23. 23. The Model (part 2) Value to You 1 N Value to Comp. Value if Lost 50 2.3B* N Examples Biz Impact ACTION Number of Potential Actors Y Credit Card Numbers PII/PHI Unused Biz Data Low (High Impact) C High C Y N Y Sec. Data Analytics (revenue) Medical Records High roller customers Proprietary Algorithms Financial Results Y Y Y Crown Jewels Easily transferrable IP © Copyright 2013 EMC Corporation. All rights reserved. Breach Prob. High (# Actors) C Outsource Destroy Obfuscate Protect IP (Vault) Secure Data Protect (Vault) 24
  24. 24. Payoff The Relevance of Data Mass Amount of data © Copyright 2013 EMC Corporation. All rights reserved. 25
  25. 25. Combating Risk from Data Growth  Reduce data stores – Truncation – De-value options (tokens) – DESTROY  Reduce the effective size – 1M records / 10 keys = 100K recs! – Multiple algorithms © Copyright 2013 EMC Corporation. All rights reserved. 26
  26. 26. How to apply the model  Look at the kinds of data your business controls – – – – Try to define what it is, then relate it to the model Be sure to find information NOT IN USE Understand flow and sprawl of data Look for large values of O  Add values where you can – Valuing information is personal – Use your own data – Don’t rely on external sources to define data value  Remember CONFIDENCE factor!  Take Action Per the Model! © Copyright 2013 EMC Corporation. All rights reserved. 27

×