Many of us in the cybersecurity world have followed this general mantra: protect the data, protect the data, protect the data. It’s a good mantra to follow, and ultimately that is what we are all trying to do.

But there are different ways to protect data. The obvious method is to make sure it doesn’t get ripped off, but as we have noted in previous pieces, the lexicon we use can be troublesome at times. This is particularly true when there is room for cultural interpretation (that’s one of the reasons why curbing international cybercrime is real hard).

DevOps Connect:DevSecOps @ RSAC 2022

That lexicon problem extends into many different areas, including what “protecting” the data means. “Protecting” data goes well beyond making sure it doesn’t get stolen. It means the data isn’t tampered with and is still usable, as it was originally intended to be used. That data can be financial statements, design schematics, or RFP bids.

Here’s the key that makes the world go around and around: confidence. If counterfeit data starts to circulate widely, our confidence in the data begins to diminish. Therefore, it’s just a matter of time before I start asking: do I really trust this financial statement, design schematic – whatever really – to be legitimate? If I don’t, I got a problem. And if I no longer want to accept the data you’re giving me as legitimate, you got a problem, too.

For those well-versed in the information security world, you’ve heard of the CIA triad (sometimes known as AIC triad to avoid confusion) consisting of Confidentiality, Integrity and Availability. Of those three elements, we are relatively confident that a lot of time is being spent on confidentiality and availability. It is integrity that we feel will be the silent killer, especially over time.

Some bad people (Read more...)