One of the issues about security that I always found puzzling is the security seen as a “us vs. them”.
Look around you: in most cases where you have to enter password, codes, pin, etc- the security is mainly to filter out the undesired.
But, once you are inside… in most cases, security is laxer toward insiders than toward outsiders- also when only an insider can really connect the information needed to generate damages.
It was a questionable assumption while organizations and technologies allowed a clear differentiation between “us” and “them”, but now that it is common to shift as much data and technology as possible to a third party, and continuously switch roles, does it make sense?
Between 2003 and 2005, I posted online an e-zine (originally in Italian and English), and one of the issues was about considering outsourcing as a structural choice, not just a cost-control opportunity.
Have you posted your corporate data online and you stopped having your own data center, or within the smartphones of your staff, or even on devices that store data locally to avoid back-and-forth over the network?
Those choices do not imply that you should allow others to access that information, or understand how you use that information within your business.
In 2010 I said that I was going to re-develop a security framework that I had shared online first in the early 2000s, but actually based on something that I had designed in the 1980s, based upon my experience on PROLOG to develop mini-expert systems, and then from the late 1980s to develop and document Decision Support Systems.
In the 1990s, this extended on online and offline applications to test keeping data confidential while using low-cost online hosting.
The idea: the way you structure and classify your information sometimes tell much more about how your organization makes decisions or how you process information than you would like others to know.
Moreover, in some applications (KPIs, decision-making, etc) your data design must evolve with your understanding, so also the data might need to be expanded or shrink- and models change accordingly- transparently for both customers and those providing you with infrastructure.
The solution that I used: stored data online, but embedded into the information the design of the structure, using encryption and XML, and using other methods to retain the ability to access data with SQL.
Beware: the concept is what matters- its implementation should obviously adapt to the tools available in your environment, as the one that I am describing in this pages is the version released in the early 2000s.
Follow the menu options on top.
You can contact me on Linkedin.com