Atomisation: the crown jewels of the ideal cyber security model

Our approach to security has served us well for hundreds, if not thousands, of years... but can it survive the Age of Big Data?

Simon Hall Senior Manager KPMG in the UK

Keeping your diamond and sapphire tiara in a bank vault may be a great way to reduce the security risk but it does create a bit of an availability issue.

The same is true of Information Security. There is an inevitable tension between security and accessibility; measures aimed at protecting data from unauthorised access invariably make life harder for legitimate users.

Conquering the availability issue

Therefore, instead of focusing solely on making information difficult to steal, information security engages measures that make it difficult to use, by turning it into something that has little or no value to the thief. It achieves this by using techniques such as encryption, tokenisation, anonymisation or pseudonymisation.

To return to the jewellery metaphor, it creates a paste copy of the necklace, thereby giving the owner the benefit of access to a beautiful piece of jewellery with 100 percent availability, while creating a situation in which a theft will result in little loss to the owner and little benefit to the thief: an ideal solution that has worked effectively for hundreds, if not thousands, of years.

The principle of atomisation

My view, however, is that this approach to information security has a limited lifespan. Rapidly increasing processing capabilities and the exploding volumes of publicly available ‘Big Data’ render the risk of ‘de-identification’ of so-called “anonymised” and “pseudonymised” data increasingly probable. Meanwhile the rapid increase in processing speed and capacity, and the ever-present risk of theft or prediction of passwords, which are increasingly ‘recycled’ by their harassed owners, will eventually overwhelm encryption-based security measures.

I would therefore suggest that the most important component of a cyber security model for the future is to find a new approach, and I propose that we start with the principle of ‘atomisation’ – both of the data itself and of the security solution.

It is said that 90 percent of the data in the world was created in the past two years – it’s also more varied.

Unlocking the DNA behind your data

But what if we remove ‘access’ from the equation? What if the data itself could ‘do’ things without the need for it to be accessed? What if, before being put into a data pool, each item of data could be programmed to perform only certain specific functions, to behave in pre-determined ways, to fall asleep and wake up only when duty called, and even to die when its useful lifespan had passed.

What if each item of data, like an organic cell, had DNA - a string of instructions or genes that gave it specific abilities but also placed a limit on those abilities - that enabled it to live in a certain atmosphere but perish in another?

The complexity of the DNA (which could range from that of a single-cell organism to that of a human being) in a given piece or set of data could be determined by an algorithm-based assessment of its value and vulnerability. Each would have its own, internally programmed security solution reflecting its profile in terms of the purpose and value to the legitimate stakeholders and its vulnerability, measured by its value to potential attackers. This is ‘atomisation’.

Data ain’t what it used to be

I am not suggesting that I have the skills to develop this next-generation cyber security model, but would very much like to set down the challenge for those who do.

We have to start by waking up to the fact that data “ain’t what it used to be”. It’s not just that there is a lot more of it – it is said that 90 percent of the data in the world was created in the past two years – it’s also more varied.

The principal reason for this proposed paradigm shift is undoubtedly the relatively recent acceleration in the rate of change in every aspect of data – volume, variety and velocity (the so-called ‘3 v’s) – harnessed to the increasing rate of data collection, storage, processing and analytical capabilities. There is nothing to indicate a deceleration, let alone a decline, in any of these growth factors in the foreseeable future.

A new approach in tune with life’s mod cons

We are already living in a seemingly futuristic environment, in which the technology already exists for us to be woken by an alarm at a time calculated by referring to our first diary appointment, the distance to the appointment, mode of travel, transport updates and whether the car (which does not require a driver) needs to be refuelled en route.  The central heating can switch to stand-by when the last person leaves the house and on again when the first returning member of the family gets to within half an hour of home, using mobile location tracking.  Our fridges will soon place online orders based on what’s running out, the weather forecast and school holidays.

In short, everything is different now. Everything.  So the ultimate goal for security, in my opinion, must be to take a totally different approach that is not hampered by the natural tension between prevention and enablement and the permanent risk posed by access – that if the good guys can get to the data, so can the bad guys. This is why I believe efforts should be focused on a new approach, and that the solution may lie in “atomisation”.

Thanks for reading