July 13, 2016
Rethinking Cyber-Security: A New Paradigm for Democratizing Data Exchange
Liberated data connects people, informs decision-making, stimulates innovation, streamlines production, creates wealth and advances humanity. The upward trajectory of human accomplishment arises from ever-more sophisticated data exchange supporting ever-more complex win-win partnerships.
With the inevitability of water flowing downhill, data yearns to be free and available. Protecting data without stifling its productive potential has been a universal challenge throughout history. Societies that protect and liberate data prosper. Societies that protect and restrict data falter.
Perimeter-based network systems have proven inadequate. They’re cumbersome and vulnerable to attack. The list of hacked healthcare companies reads like a “who’s who” of payors and providers.
Healthcare cyber-security systems constrain-information sharing and don’t deliver the protection and privacy demanded by patients and regulators. This represents a failure of imagination.
Health companies seek to secure information by locking it up when liberating data is essential to advancing medical care. The key is to “think different” and employ strategies that both protect and democratize data exchange.
Making Copies: What Data Is and Does
Software creates and manages digital information. Data geeks use the term digital objects to describe bundles of zeroes and ones that comprise digital information.
Digital objects are as real as letters on paper; however, they are microscopic and move at the speed of light. Like printed letters, digital objects carry data that conveys meaning (information) and/or instructions (software).
Printed words and streams of zeroes are different ways of encoding information.
Digital objects distribute and multiply through virtual copying. When people send e-mails, for example, recipients receive identical copies of those e-mails. Copies proliferate as e-mails distribute through cyber-space and “live” simultaneously on multiple computers
Paraphrasing Rob Schneider’s “Making Copies” skit on Saturday Night Live, the increasing ease and speed of “making (and moving) copies” of digital information is the essence of the current information revolution. These copies flow to billions of inter-connected computers, mobile devices and cell phones.
Digital connectivity enhances productivity, but also makes data vulnerable to widespread cyber-attacks that compromise data control. The speed, density and ubiquity of digitized copies moving through cyberspace gives cyber-criminals access to sensitive data in multiple locations.
Here’s a thought-provoking question: how many computers have copies of any given individual’s emails and shared files? The answer, of course, is far more than any of us could imagine.
Protecting a Leaky Perimeter: Inspectors; Firewalls; Pipes and Safes
Most cyber-security technologies have the look and feel of medieval castles where defenders employed high walls, moats, flame-throwers and boiling oil to ward off attackers. For the last twenty years, cyber-security has employed similar types of perimeter defenses to protect data. Here’s what they are:
- Inspectors: search digital objects for malicious instructions that copy and move data surreptitiously or deny owner access to data. They also inspect outbound data to prevent hackers from sending information they shouldn’t.
- Firewalls: create a perimeter around a universe of digital objects. Unfortunately, firewalls contain thousands of potentially-vulnerable openings (ports) to transmit and receive data.
- Pipes: are encrypted barriers that surround moving digital objects, but only when they are moving. The vast majority of your digital objects are not on the move at any point in time.
- Safes: use cryptographic containers to store data. Whole disk encryption and encrypted folders protect some digital objects when the computer is off, or the folder is closed. Like physical safes, they only protect things you are not using.
Unfortunately, inspectors, firewalls, pipes, and safes are “leaky.” They don’t control all data-copying. These traditional cyber-defenses do not deal effectively with malicious “insiders” and, more importantly, do not prevent copies flowing to non-controlled computers.
Resilient Cyber-Defenses: Absorbing Attacks Without Compromising Data Integrity
Paradigms shift. Simple, elegant concepts supplant calcified strategies that no longer work. The U.S. military reversed its fortunes during the second Iraq war by replacing large, centralized deployments with more numerous, much smaller and nimbler deployments that worked in concert with local residents. Together they defeated al Qaeda militants.
During the same war, the military dramatically cut battlefield deaths in half by standardizing triage procedures between field clinics, regional hospitals and major medical centers.
As Einstein observed, “the definition of insanity is repeatedly doing the same task in the same way and expecting different results.” The increasing levels, sophistication and effectiveness of cyber-attacks means that perimeter-based defenses are not equipped to meet the dual goals of liberating and protecting data.
Inspectors, firewalls, pipes, and safes all provide perimeter security, but can’t completely control exposed digital objects. Computers create digital objects the same way they did thirty years ago – unprotected and vulnerable at conception.
To be fully effective, software engineers must imbed protection and control mechanisms into the data itself – into the digital objects. Self-protecting data facilitates data mobility without relinquishing data control.
Software creates controlled digital objects in two steps:
- It encrypts each digital object with a distinct key that permits “reading” only by approved users.
- It adds “use controls” to the digital objects that constrain what legitimate users can do with the object. (can/cannot forward, copy/paste, print, expires in x days, etc.)
This flips the cyber-security equation around. Instead of defending all data, each data object defends itself. It’s efficient. It’s lower cost. It’s more effective.
Consider the new paradigm. Would stealing copies of the digital objects matter? No. Breaking encryption is difficult and individually encrypting each object exponentially increases the difficulty and cost of stealing information.
Would controlled digital objects be more difficult to share? Not at all. Sharing becomes easier when users avoid navigating through the multiple security barriers embedded within existing perimeter defenses.
Would controlled digital objects make software harder to use? No. The encryption complexities are invisible to end-users.
This is not a theoretical exercise. The Army funded the creation of digital object-level control to enhance battlefield communications systems. Control and simplicity are really, really, important when the enemy is shooting at U.S. soldiers.
No More Excuses
In the same way that developing countries are applying cellular technology to avoid investment in land-based telecommunications infrastructure, health systems can by-pass expensive and inconsistent perimeter cyber-defenses by encrypting individual data objects. This new approach is simple, elegant and effective.
Even more important than securing data, confident healthcare providers will share information without fear to advance medical diagnostics, treatment and research. The “friction” associated with lumpy perimeter defenses will evaporate. Liberated data will flow to its highest and best uses. Enlightened health companies will lead the way.