Uncovering the Data Security Triad

Uncovering the Data Security Triad by Ellison Anne Williams:

Data Must be Protected as it Exists at All Points in the Processing Lifecycle
Data is often an organization’s largest and most valuable asset, making it a prime target for all types of adversaries both criminal and nation-state.
Data isn’t merely “often” the most valuable asset. There was a time when physical, analog, off-line assets were the most valuable. That time is, in technology terms, long past.
Nearly every week a new data breach is announced, serving as a consistent reminder that data security matters. In the first half of 2018 alone, 944 breaches led to 3.3 billion data records being compromised. But what does true data security look like? Numerous solutions herald the necessity of and their ability to provide ‘end-to-end protection’ but when we break through the buzzwords, do we have a clear picture of what it means to secure data?
With attack vectors emerging from every possible angle and attackers becoming increasingly sophisticated, it has become clear that every part of data security matters — from secure data storage, transit, and processing to access control and effective key management. If one aspect is vulnerable, it undermines the effectiveness of the other security measures that have been put in place.
Sadly, “break through the buzzwords” does not apply to the next paragraph.
This multi-dimensional risk requires a holistic, data-centric approach to security, one focused on protecting the data itself at all points in its lifecycle rather than concentrating efforts only on its perimeter of surrounding networks, applications, or servers.
Breaking one link in a chain is not “multi-dimensional risk”. I agree with the idea (if not the language) of the rest of the paragraph.
Organizations must ensure data is secured at all times by:
1. Securing Data at Rest on the file system, database, or storage technology
2. Securing Data in Transit as it moves through the network
3. Securing Data in Use, while the data is being used or processed
There’s #4 – Data in Limbo, where it resides in system memory moving between the above states. Meltdown and Spectre demonstrated the vulnerability.
Together, these elements form the Data Security Triad, representing the trifecta of protection required to ensure data is secure throughout its entire lifecycle.
I argue data security is not a triad. It was a useful model once but is overly simplistic at best. How do cloud-based and as-a-Service fit in this triad? How do CDNs? What about all the pieces that have been outsourced to third parties?
At the core of this protection strategy is encryption. Encryption renders data useless to an attacker, making it unreadable and therefore removing its value. Thus, encryption is able to undermine the attackers’ purpose – stealing assets of value – and makes the target infinitely less appealing.
Encryption is important, but the integrity of the data (preventing the injection of false data or casting doubt on its validity) and assurance of delivery (preventing the rerouting, delay, or inability to reach the intended destination) are just as important.
Also, just because something is encrypted doesn’t mean it is encrypted well or will be in the future.
Experience tells us that if there is data of value at stake, attackers will find a way to find and reach it – we can’t just lock the front door; every point of entry needs to be protected. Consequently, limiting encryption to only a portion of the Data Security Triad is a dangerous oversight.
Only discussing data in terms of encryption is also a dangerous oversight. In addition to integrity and assurance, access is important – admins, users, processes, applications, &c., privacy is important, and availability is important.

We know attackers are evolving and our security practices must evolve as well. Protection schemes must recognize and secure data as it exists at all points in the processing lifecycle, whether at rest, in transit, or in use.
I appreciate the intent of this piece. Encryption, if implemented well, is a valuable tool. However, encryption isn’t a magic bullet for security. And encryption can give a false sense of security if done in isolation or done poorly.