She has correctly put her finger on a huge, unmitigated threat surface of transactions that are transported inside the business and between business units using message queuing technology. Message queuing is a cornerstone of B2B commerce and in a highly interconnected system, there are lots of entry points all using similar or same technology – MQ Series or the TIB.

While organizations are busy optimizing their firewalls and load balancers, attackers can tap in, steal the data on the message bus and use it as a springboard to launch new attacks.  It is conceivable that well placed attacks on  message queues in an intermediary player (for example a payment clearing house) could result in the inability of the processor to clear transactions but also serve as an entry point into upstream and downstream systems.  A highly connected stem of networked message queues is a convenient and vulnerable entry point from which to launch attacks; these attacks can and do cascade.

If these attacks cascade, the entire financial system could crash.

Although most customers are still fixated on perimeter security, I believe that Maryellen has a powerful value proposition for message queuing customers in the supply chains of key industries that rely on message interchange: banking, credit cards, health care and energy.

Keeping the organization robust in a highly dynamic threat environment

Our capacity to predict will be confined to . . . general characteristics of the events to be expected and not include the capacity for predicting particular individual events. . .Yet the danger of which I want to warn is precisely the belief that in order to be accepted as scientific it is necessary to achive more. This way lies charlatanism and more. I confess that I prefer true but imperfect knowledge. . .to a pretence of exact knowledge that is likely to be false.

FRIEDRICH A. HAYEK

“The Pretence of Knoweldge,” Nobel Lecture

Modern information security models usually assume a pre-defined defensive structure of  networks, systems, procedures, defenders and attackers – the properties of which usually specified by vendors (i.e. defining the problem by the solution).

The problem with such models is that, in reducing the organization to passive executives of defense rules in their firewalls, they ignore the extreme ways in which attack patterns change over time. Any security policy that is presumed optimal today is likely to be obsolete tomorrow. So – learning about changes is at the heart of day-to-day security management.

I recently started reading “Imperfect Knowledge Economics” – an extremely well written book by Roman Frydman and David Goldberg, (Princeton University Press 2007).   Our best practice with clients these days is to work with them to make their business more robust to high impact data loss events as opposed to installing silver bullets to prevent events that cannot be predicted. The notion of IKE is very appealing to me for the security space, since both attackers and defenders are working from positions of imperfect understanding (most companies don’t even have the faintest idea of what data is leaking out of their network). So – here goes a first crack at what I would call IKS – imperfect knowledge security (with my apologies and appreciation to Frydman and Goldberg).

The goal of IKS (Imperfect Knowledge Security) is to help develop a more insightful approach to security management. Our approach – IKS, does not seek to explain exactly how attack patterns evolve over time. We reject current security models that relate defensive measures to precise attack patterns that have been pre-specified in security technology developed by a vendor.

IKS constructs models of aggregate outcome (value at risk, security plans, cost of security) by relating them to   behavior of 4 basic threat entities (assets, threats, vulnerabilities and countermeasures). This behavior is represented mathematically using the PTA (practical threat analysis) model. IKS enables the organization to explore ways in which attackers can decide to damage the organization – and formalize the attack scenarios with “qualitative” conditions. By design, IKS models do not predict sharp changes, but they do generate qualitative implications – for example an uptick in Gmail traffic will be indicative of an organization that is vulnerable to data loss of company documents of Gmail.

Sadly, current information security models based on pre-defined attack behavior have failed miserably to predict and mitigate damage to the organization. The models and the systems they implement are flawed because they disregard a key feature of security attacks – namely that both attackers and defenders have imperfect knowledge in making their decisions.

Recognizing that our knowledge is imperfect is key to solving this problem.

This is a very bad idea.

Business process mapping is an expensive task to execute and extremely difficult to maintain that can require large quantity of billable hours. That’s why companies like PwC, IBM, EY and KPMG love business process modeling The added value of modeling data flows inside your organization between people doing their job is arguable. There are much better ways to make your organization robust to a major data loss event without writing out a 7 digit check for professional services and a BPM system from Business Objects, Cognos, Kalido, Oracle, Hyperion, Applix, Pilot, SAS or SAP.

There is a simple and effective way of figuring out data value at risk and mitigating data security threats:

1. Select the 5 most valuable data assets that your company owns. For example – proprietary designs of products,  due diligence reports of a public company being acquired, and details of competitive contracts with large accounts.
2. Ask 5 finance, operations, IT, sales and engineering staffers – what is their biggest threat to their most important asset and how badly the threat can damage the asset – on a scale of 1 to 5. Call that “Damage”.
3. Ask them how often the threat materializes – once a month, once/year or once a decade. Call that “Probability of occurence”.
4. Quantify the asset value. Schedule 1 hour with your CFO and ask her how much each asset is worth in dollars. The dollar value of a digital, reputational, physical or operational asset to a business can be established fairly quickly by the CFO – in terms of replacement cost, or impact on sales and operations. Call that “Asset value”
5. Calculate your value at risk = Sum (Asset Value * Damage * Probability of occurrence)

More about bad ideas in 10 steps for protecting customer data

Compliance is like being at all the rehearsals with a sharp pencil and playing your part perfectly – but not showing up to the gig. Being inside a strategic inflection point of change is like waking up during your own murder.

Inside a strategic inflection point of change, the people inside the system are not sure  what is happening and have trouble putting an analysis and a possible solution to their malaise into words. We are seeing a continued rise of data security breaches perpetrated by trusted insiders, competitors and malicious outsiders despite billions being pumpted into compliance and security technology products from companies like McAfee and Symantec. I doubt that during this current recession – we will see many companies look for carpet-bombing technology solutions to their data security issues.

Is the security industry is approaching an SIP – strategic inflection point?

The first sign is a lack of clarity.

When bad things happen, the first response is to find a rational explanation or political excuse. When a PCI-compliant institution loses PII in a data breach – this is the sort of thing we hear:

1. Compliance doesn’t require DLP technology, we need a product from (Verdasys, Fidelis Security Systems, McAfee or Symantec), then we can prevent data breaches in the future, or -
2. Some of the systems that interface with our business partners and payment processors  are vulnerable to exploits (we were compliant but the other guys weren’t) or,
3. Our business process outsourcing vendor violated his non-disclosure agreement or,
4. At the time of our last PCI audit, we WERE compliant – but in the meantime, our marketing team installed a Microsoft Sharepoint application that was vulnerable to hackers,
5. Someone put some nasty spyware in our cash registers that were on the store WiFi network,
6. We’re working on encrypting all our credit card data and then it won’t happen again,
7. We’re upgrading our head office servers to Windows 2007, some of the Service Packs were not applied
8. We’re using an old version of Linux – Red Hat 4 – since our application vendor requires that version – we didn’t realize that Linux was vulnerable to Oracle database exploits

It seems to me that we are at / or approaching a strategic inflection point in the security industry. The compliance model is broken, data security vendors are adopting ERP style implementation models and pricing (pay me $1M for the software and another $1M for professional services for the implementation) but most of all there is a sense of confusion from reading the vendor collateral.  Read what IBM says on their “Data Governance” (Whatever that means) page:

What if you could pinpoint and secure all your critical data, and still have the freedom to collaborate past the perimeter and gain business intelligence to guide strategic initiatives? IT security plays a central role in protecting your data, assets, and ultimately, your brand.

IBM Data Security Services can help you cost-effectively identify and protect your organization’s critical data from internal and external threats. We help you integrate existing data assets and data security capabilities with new security management technologies. IBM’s streamlined approach supports collaboration across the enterprise while protecting data in transit or at rest.

Potential benefits include:

• Insights into your business intelligence that help set strategic direction
• Simplified protection of your valuable, business-critical and/or confidential data
• Controlled data access for collaboration and sharing
• Protection against corruption and interception with advanced encryption
• Reduced risk of regulatory noncompliance

What does BI insights have to do with preventing employees from stealing IP?

Who says protecting valuable company digital assets simple?

Why is controlled data access more effective for a company and its customers than totally open access?

What do they mean: “Protection against corruption and interception with advanced encryption”?? How is encryption going to prevent trusted employees and outsourcing workers from stealing data, accepting bribes or skimming transactions at the point of sale.

Why is regulatory non-compliance a risk?

The marketing messages are unclear to say the least – have the IBM Data security marketing people have cut and pasted marketing collateral from Fidelis Security Systems and a few other vendors and thrown in the word “simplified” a few times to make a statement that IBM can reduce the pain for customers??

As the senior player in the IT industry, IBM is like a senior manager in an organization at a SIP – he’s using 40,000′ strategic industry-speak instead of rolling up his sleeves and understanding what’s really going on and leading the rest of the soldiers out of the trenches.

I cannot say when we will hit the SIP or what will happen afterwards – but for sure something is happening.