Photo Credit: Ray Gronberg via Compfight cc
As IT security professionals, we think we have serious security challenges, but spare a thought for those tasked with safeguarding the world’s most powerful politician. Barack Obama was assigned a secret service detail 18 months before Election Day, earlier than any other presidential candidate in American history. Protecting Obama has presented the Secret Service with some of the greatest challenges in its history, and whilst we’re sobered by reading about data breaches, the Secret Service have the cautionary tales of Abraham Lincoln, James Garfield, William McKinley and JFK to keep them focused on their job.
Now, if the Secret Service approached their job as many organisations do their IT Security (ie by locking down their information assets behind firewalls), they’d simply secure the White House. Doors locked, snipers trained on entrances, protecting everyone in the building to the same level, from the cleaners to the President. We call this the Fortress approach and it’s pretty obvious why this wouldn’t be an adequate security strategy. The problem is that, just like your data, you only get full value from your President when you allow him to move around and interact with Allies and citizens alike.
The Secret Service has an almost unlimited budget so they can afford to be overzealous, with precautions ranging from a Doomsday Plane that can withstand nuclear attack and coconuts removed from the trees in India before Obama’s visit. The unifying factor is that all these precautions travel with the President. As the vital asset, he, and those key personnel around him, are afforded the tightest (and most expensive) security and it goes where he goes – it doesn’t stop or lessen if he leaves the building. It also doesn’t apply at the same level to everyone who works in the White House – sure, the cleaners are vetted, but they’re not being flown to and from work in the Doomsday Plane because they don’t need to be and it would be prohibitively expensive.
What we learn from Obama’s security detail is that you only need to give VIP protection to your VIP data or information assets and that that protection should travel with your data throughout its journey in order to remain effective.
So as you don’t have an unlimited budget, you need to classify your data to ensure that you control the dissemination of and access to that data appropriately. Retreating from the world behind some sort of Iron Curtain type of firewall is not good for your economy.