Duncan hine input3_irm_and_outsourcing


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Duncan hine input3_irm_and_outsourcing

  1. 1. Information Security Risk Management IT operation outsourcing The Cloud and Data aggregation
  2. 2.  More data is collected, storage is ‘free’ Data sets are connected and correlated for many reasons They are combined with open source data sets – credit referencing = identity exists Data sets are shared internationally There is a new focus on privacy people are sensitive to this issue Privacy sensitive information is valuable and can easily be sold if stolen
  3. 3.  Single records unclassified or low classification, or privacy sensitive only As set grows 10, 100, 1,000, 10,000, 1m, 10m......100m something changes but traditional classification did not change Changes for two reasons damage caused by large data loss is clearly greater – resign, resign, resign...... Acquisition of large data sets opens up opportunities for new insights with dangerous consequences
  4. 4.  Forgery and alteration does not work Better to apply for a real one in a false identity All identities checked on application for ‘social footprint’ so must take from a real person May already be holder or past holder or known to agency - fraud will be detected Need to know in advance use two methods With target cooperation and without Access to large data sets reduces risks
  5. 5.  On line genealogy and credit referencing Electoral rolls Travel data sets (if you travel you already have a passport) Vulnerable adult data sets addicts, long term carers Lists of professionals with issuesAll increase the chance of success and reduce the number of simultaneous applications that need to be made
  6. 6.  Standard method was to adopt the identity of a dead child born about the same time as the applicant who would not have a passport Duplicate birth certificate obtained (a legal right in UK) Application will not work now as deaths checked, but for various reasons records not complete
  7. 7.  Monitor open source deaths in online local newspapers Find a soldier who served abroad, 20-40 yrs older than target Use on line regimental histories to establish when served overseas and what countries Aim to identify a country where soldier was around the time the applicant was born with weak record system Forge a birth certificate for that country Apply as the illegitimate child of the dead soldier – it was always kept a secret
  8. 8.  Using a cloud makes aggregation happen inherently Cloud needs to be set up so penetration is limited in containers to manage risk Encryption at rest looks like the answer but it introduces many other problems These include key management, escrow, and penetration of key provider RSA issue a good example It’s not just about accessing the data but also the ability to combine big data sets WP is a good example
  9. 9.  Many controls will be traditional Passport special control process was to cost Eu 10m By taking two highly vetted people from a pool of 24 at random and using a four eyes process same/better protection was delivered at a fraction of cost To break this have to corrupt all 24 people Basic training and awareness more important than ever
  10. 10.  Traditional approach to risk management is still valid for the cloud but the threats and risks are different Controls and mitigations are similar but applied differently There is a good opportunity, the risks are greater if they are not well engineered but they can be ! Risk management must be done properly by specialists and asset owners together