http://blogs.technet.com/steriley/archive/2007/07/02/protect-your-data-everything-else-is-just-plumbing.aspxTake a few moments and indulge in a thought exercise with me. Consider your company’s complete collection of information processing assets—all the computers, the networks they’re connected to, the applications you use, and the data and information youen-USCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.technet.com/steriley/archive/2007/07/02/protect-your-data-everything-else-is-just-plumbing.aspx#1427245Tue, 03 Jul 2007 09:00:45 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:1427245JJ<p>Good posting. I have tried to demonstrate this since year 2000 by using a slide listing fw, routers, etc and asking what is most important entity to protect, and then animated cross over everything and telling that it is information/data and requirements from there sets requirement for others.</p> <p>Another issue is; will there be protection mechanisms on operating system level which put more into securing data rather than operating system? e.g Ten Immutable Laws is outdated. It solely focus on exploits, overwrite, incidents and e.g does not take into account that when attacker gets in, then the protection should still prevent attacker to access the data. </p> http://blogs.technet.com/steriley/archive/2007/07/02/protect-your-data-everything-else-is-just-plumbing.aspx#1430235Tue, 03 Jul 2007 19:25:12 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:1430235chris<p>Steve,</p> <p>Great post I couldn't agree with you more. Our company is currently moving through that transition of Focusing on the network to focusing on the data. But I have to disagree with the previous comment. The Ten Immutable Laws of security are not outdated and will not be outdated because they are based on the basic principles that are time tested and proven. How and where you apply them is changing.</p> http://blogs.technet.com/steriley/archive/2007/07/02/protect-your-data-everything-else-is-just-plumbing.aspx#1430553Tue, 03 Jul 2007 20:21:30 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:1430553Kevin Rowney<p>Very true, this change is now underway. &nbsp;Standard textbook training in security doesn't really address these concerns, but the primary threat models security teams *should* be worrying about are now in flux. &nbsp;It really is all about the data.</p> <p>I'm surprised you chose DRM and full-disk encryption as the two primary technologies to profile though. &nbsp;If it's about the data, shouldn't you also talk about content-aware security technologies that discover the flow of that data (i.e. Data Loss Prevention), govern access to that data (i.e. Data Governance Software), or help classify the data (i.e. Information Classification Systems.)</p> <p>These content aware approaches appear to be (at least to me) at the forefront of this data-centric security model.</p> http://blogs.technet.com/steriley/archive/2007/07/02/protect-your-data-everything-else-is-just-plumbing.aspx#1435263Wed, 04 Jul 2007 08:42:29 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:1435263Adam<p>Loved the article! &nbsp;You're spot-on in saying that the data is what we need to focus on protecting. &nbsp;Even the terminology we use puts too much focus on protecting the &quot;network&quot; and I think this distracts so many people working in the field of IT into focusing on the physical bits and pieces rather than the data.</p> http://blogs.technet.com/steriley/archive/2007/07/02/protect-your-data-everything-else-is-just-plumbing.aspx#1439923Wed, 04 Jul 2007 19:50:24 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:1439923Tales from the Crypto<p>Steve Riley posts on a topic he discussed at Tech-Ed - protecting the data, because everything else is</p> http://blogs.technet.com/steriley/archive/2007/07/02/protect-your-data-everything-else-is-just-plumbing.aspx#1496576Tue, 10 Jul 2007 23:09:48 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:1496576John<p>Yes, the data (read information) is probably your prime asset. But in addition to confidentiality and integrity (addressed in this article) it is important that the data are available where you need it when you need it. Hence, you need a secure network as well.</p> <p>Also, for defence in depth, i would move some of the defence mechanisms away from the client (which you can't really control) to a device physically separated from the user. For instance, traffic filtering performed by a network firewall.</p> http://blogs.technet.com/steriley/archive/2007/07/02/protect-your-data-everything-else-is-just-plumbing.aspx#1629589Fri, 27 Jul 2007 22:43:21 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:1629589Karl Levinson<p>Steve is right that too often backups and encryption are forgotten. &nbsp;And it's true that the FILES on the computer that aren't data are plumbing. &nbsp;</p> <p>But the other part of the plumbing, e.g. the free disk space and network bandwidth that can be used to sell DoS zombie attacks, spam relays and pubstro FTP servers, are I think still attacked as much as the user data is. &nbsp;</p> <p>Also, drive encryption and backups only protect the data at rest. &nbsp;I understand that recent attacks have monitored running processes and/or memory to glean useful user data being sent out through Internet Explorer. &nbsp;So I hope it's clear to all the readers that Steve isn't advocating that they can start spending less time on the other traditional countermeasures.</p>