<< Back to blogs

Data security

Dec. 15, 2015

Data security is as important as having a web presence.

Data security has been a topic that's been brought to the front pages of the last 18 months due to high profile failures in both systems, protocols and usage.  Despite advances in technology lowering the barrier to enable better security the overall risk analysis of where security holes could be exploited is often understated.

One of the biggest hacks of the last 18 months was estimated to have cost TalkTalk over £35,000,000 in both costs for reacting and responding to the attack.  Revenue is expect to also drop as confidence in TalkTalk drops following the announcement.  What has not been widely publicised were the exact steps to rectify the insecurities, nor the means by which improvements have been made to prevent a repeat occurrence.

Security through obscurity

This phrase is well known in the infosec community and has a widely negative connotation that the thing being obscured is normally the key to the systems.  When used as part of a system that already has controls in place, it quickly becomes valid.  Daniel Miessler published a good commentary on the right usage for obscurity using an armoured tank as an example.  

...given this highly effective armor, would the danger to the tank somehow increase if it were to be painted the same color as its surroundings?

The purpose of the armour is to protect the tank, the purpose of the camouflage is so the armour is only required when it is absolutely needed.

For TalkTalk and other organisations holding large-scale customer data, the issue is compounded by the way in which much of this data is stored and accessed.  Data models generally consider the known functional requirements of a system, rather than the full implications of a system design.  The equivalence would be to compare graphic & user-experience designers; what does the author intend the system to do versus what can the system be made to do within the restrictions of the design?

Open data

Thinking about your data security challenges from this perspective may not necessarily be solely a security concern, but can help ready your systems for the digital evolution in a more connected world.  At an Open Data in Higher Education event (#OpenDataHE), run by the ODI, it became apparent that in having data accessible in an open way meant that the cost of integration with other systems is also reduced.