Duncan hine input3_irm_and_outsourcing
-
Upload
e-government-center-moldova -
Category
Documents
-
view
225 -
download
0
Transcript of Duncan hine input3_irm_and_outsourcing
Information Security Risk Management
IT operation outsourcing
The Cloud and Data aggregation
More data is collected, storage is ‘free’
Data sets are connected and correlated for many reasons
They are combined with open source data sets – credit referencing = identity exists
Data sets are shared internationally
There is a new focus on privacy people are sensitive to this issue
Privacy sensitive information is valuable and can easily be sold if stolen
Single records unclassified or low classification, or privacy sensitive only
As set grows 10, 100, 1,000, 10,000, 1m, 10m......100m something changes but traditional classification did not change
Changes for two reasons damage caused by large data loss is clearly greater – resign, resign, resign......
Acquisition of large data sets opens up opportunities for new insights with dangerous consequences
Forgery and alteration does not work
Better to apply for a real one in a false identity
All identities checked on application for ‘social footprint’ so must take from a real person
May already be holder or past holder or known to agency - fraud will be detected
Need to know in advance use two methods
With target cooperation and without
Access to large data sets reduces risks
On line genealogy and credit referencing
Electoral rolls
Travel data sets (if you travel you already have a passport)
Vulnerable adult data sets addicts, long term carers
Lists of professionals with issues
All increase the chance of success and reduce the number of simultaneous applications that need to be made
Standard method was to adopt the identity of a dead child born about the same time as the applicant who would not have a passport
Duplicate birth certificate obtained (a legal right in UK)
Application will not work now as deaths checked, but for various reasons records not complete
Monitor open source deaths in online local newspapers
Find a soldier who served abroad, 20-40 yrs older than target
Use on line regimental histories to establish when served overseas and what countries
Aim to identify a country where soldier was around the time the applicant was born with weak record system
Forge a birth certificate for that country
Apply as the illegitimate child of the dead soldier – it was always kept a secret
Using a cloud makes aggregation happen inherently
Cloud needs to be set up so penetration is limited in containers to manage risk
Encryption at rest looks like the answer but it introduces many other problems
These include key management, escrow, and penetration of key provider
RSA issue a good example
It’s not just about accessing the data but also the ability to combine big data sets
WP is a good example
Many controls will be traditional
Passport special control process was to cost Eu 10m
By taking two highly vetted people from a pool of 24 at random and using a four eyes process same/better protection was delivered at a fraction of cost
To break this have to corrupt all 24 people
Basic training and awareness more important than ever
Traditional approach to risk management is still valid for the cloud but the threats and risks are different
Controls and mitigations are similar but applied differently
There is a good opportunity, the risks are greater if they are not well engineered but they can be !
Risk management must be done properly by specialists and asset owners together