The Case for “Reverse Information Classification”
Transcript of The Case for “Reverse Information Classification”
© 2012 Chevron Corporation All rights reserved.
The Case for “Reverse
Information Classification”
Michael J. Lewis Senior Staff Security Strategist Chevron Information Technology Company 2012 API Cybersecurity Conference Houston, Texas November , 2012
This document is intended only for use by Chevron for presentation at the
November 2012 API Cybersecurity Conference and posting on the
November 2012 API Cybersecurity Conference website.. No portion of this
document may be copied, displayed, distributed, reproduced, published,
sold, licensed, downloaded, or used to create a derivative work, unless the
use has been specifically authorized by Chevron in writing.
TOP
SECRET
© 2012 Chevron Corporation All rights reserved.
Today’s Premise
Everyone agrees that
(formal) information
classification is the
start of information
security
Information
classification drives
access and the
selection of controls to
protect data
2
© 2012 Chevron Corporation All rights reserved.
Today’s Premise
But (formal)
information
classification
– Is inherently flawed
– And even then, we
don’t execute it
particularly well
anyway
3
© 2012 Chevron Corporation All rights reserved.
Today’s Premise
We can try to
improve an
inherently flawed
process or we can
think out of the box
4
© 2012 Chevron Corporation All rights reserved.
Our agenda for today
Introductions
Traditional classification
Pitfalls with traditional classification
Reverse classification
Conclusions, recommendations, questions, and answers
5
© 2012 Chevron Corporation All rights reserved.
Disclaimer
The concepts covered within
this presentation:
Have not been adopted for
use by Chevron
Represent the presenters’
opinion
6
© 2012 Chevron Corporation All rights reserved.
Obligatory Company Profile Slide
Chevron is the second-largest integrated energy company in the United States and among the largest corporations in the world, based on market capitalization as of December 31, 2011
Involved in virtually every facet of the energy industry:
– Explore for, produce and transport crude oil and natural gas
– Refine, market and distribute transportation fuels and lubricants
– Manufacture and sell petrochemical products
– Generate power and produce geothermal energy
– Provide energy efficiency solutions
– Develop the energy resources of the future, including research for advanced biofuels.
Business activities around the world
Diverse and highly skilled global workforce consists of approximately 61,000 employees including more than 3,000 service station employees
8
© 2012 Chevron Corporation All rights reserved.
Who am I to give this talk?
Over thirty years at Chevron last
thirteen in security
Experience with a multitude of
computing environments
– Mainframe
– UNIX
– Windows PC
– Directories
– Virtual machines
Led efforts to document Chevron
security architecture in 2005 and
revise it this year
9
© 2012 Chevron Corporation All rights reserved.
Traditional classification – Federal Government / Military
Classify data
Classify people
People at a certain level can access information at that level or below
11
TOP
SECRET
None
© 2012 Chevron Corporation All rights reserved.
Traditional classification – Corporate
Generally 3 – 4 classification levels
– Public – stuff intended for the outside
– Internal/Business – non-sensitive corporate data
– Confidential – Sensitive business data
– [Really confidential – really sensitive business data]
Process
– Classify data
– Controls are set based on classification
12
© 2012 Chevron Corporation All rights reserved.
Pitfalls of the federal classification scheme
14
© 2012 Chevron Corporation All rights reserved.
Pitfalls of traditional classification (slide 1 of 3)
What is the classification of this data
element?
999-99-9999
Public? Business? Sensitive?
Super Sensitive?
15
© 2012 Chevron Corporation All rights reserved.
Pitfalls of traditional classification (slide 2 of 3)
Classification is hard because classification definitions leave much to be desired
– Terms are subjective
• “most sensitive business data” versus “particularly sensitive information”
• “severe negative impact” versus “very large negative impact”
• Based on these, where would you put a social security number?
– Data types listed are incomplete
• What do you do if your data type isn’t listed?
• What to do with new data constructs (like Big Data)?
Classification of some data changes during the information lifecycle
– For example, merger data. The classification of the data before the merger versus 15 years after the merger.
Recording classification level is difficult
16
© 2012 Chevron Corporation All rights reserved.
Pitfalls of traditional classification (slide 3 of 3)
Classification focuses only on confidentiality
– If public data doesn’t require controls, then why is the general public prevented from writing on one’s corporate web site?
Legal requirements
– Special controls/tests are needed for information within legal regimes (SOX, PCI)
– Data may span multiple classification levels.
Access Controls are not based on classifications
– Access controls are set based on need to access
– Anyone with cleared need (from the CEO to a janitor) may be able to access data at the highest classification
• Note that this may include a partner if there is business reason to share the information.
Controls (like encryption) based on classification are often not implementable
17
© 2012 Chevron Corporation All rights reserved.
Returning to a previous example
20
999-99-9999
Does this information need protection?
If so, how should it be protected?
© 2012 Chevron Corporation All rights reserved.
Reverse classification
Assess the risk of
confidentiality, integrity,
and availability
loss/breach to the
information
Apply controls to
manage the risk
Map control set back to
a classification level
21
© 2012 Chevron Corporation All rights reserved.
What reverse information classification does for me
Addresses all aspects of security (confidentiality, availability, integrity) rather than solely confidentiality
Addresses legal requirements (SOX)
Access controls are incorporated
Lifecycle changes are managed by changing the controls (which is likely part of the process already)
No need to squabble over nebulous classification definitions or implement massive projects to classify all data.
Simplification of standards
Risk management approach
22
© 2012 Chevron Corporation All rights reserved.
Additional responsibility on information owner to execute risk
assessments
– Information owners may not be risk assessment proficient
– Caveat: sensitivity of some data (merger and acquisitions, privacy) is
patently obvious
Controls need to be linked to classification
– Effects of combinations may be challenging.
Bucking the tide
23
Utopia?
© 2012 Chevron Corporation All rights reserved.
Conclusion
Traditional information
classification has been around
for decades but does not
necessarily provide proper
information protection
Reverse information
classification focuses on
implementing controls to
address risk and managing any
“classification” needs afterward
– Minimum: Data are protected
– Best case: simplification of
standards and elimination of
built-in exceptions
What have you got to lose?
24