Full Report
Over the last few years there has been a popular meme talking about information centric security as a new paradigm over vulnerability centric security. I’ve long struggled with the idea of information-centricity being successful, and in replying to a post by Rob Bainbridge, quickly jotted some of those problems down. In pre-summary, I’m still sceptical of information-classification approaches (or information-led control implementations) as I feel they target a theoretically sensible idea, but not a practically sensible one.
Analysis Summary
As a cybersecurity best practices consultant, I have analyzed the provided context, which critiques the purely "information-centric" security paradigm in favor of approaches that consider system interaction, attack paths, and business functionality.
The following recommendations are derived by synthesizing the identified weaknesses of information classification (shared containers, missing pivot points, ignoring functionality) into actionable, more practical security guidance, aligned with a **system and threat-centric risk management framework.**
---
# Best Practices: System and Threat-Driven Security Prioritization
## Overview
These best practices focus on augmenting or shifting security control implementation from relying solely on data classification labels to incorporating system architecture, inter-system trust relationships, attack path analysis (pivoting), and the criticality of business functionality. This approach aims for more practical prioritization by addressing how real-world threat actors operate rather than just the theoretical data resting state.
## Key Recommendations
### Immediate Actions
1. **Identify Business-Critical Functionality:** Immediately inventory and map all systems whose **functionality** (not just the data they hold) is vital for core business operations (e.g., trade execution, proprietary algorithm processing).
2. **Map System Trust Boundaries:** Inventory all authentication mechanisms, service accounts, and trust relationships (Active Directory forests, inter-service communication) between key systems, regardless of the data classification within those systems.
3. **Isolate "Pivotal" Assets:** Identify any low-classification systems (e.g., monitoring boxes, low-use servers) that possess privileged credentials or direct network access to high-value targets. Apply immediate, elevated security controls to these specific systems.
### Short-term Improvements (1-3 months)
1. **Implement System-Level Segmentation:** Begin network restructuring efforts to impose physical and network segregation *between systems* first, before fully dictating controls based only on data classification within those systems.
2. **Integrate Functionality into Risk Scoring:** When assessing assets, ensure the risk score reflects not just the sensitivity of stored data, but also the impact of unauthorized function execution (e.g., manipulating proprietary logic versus leaking low-sensitivity logs).
3. **Evaluate Shared Container Uplift:** For shared information containers (e.g., SQL clusters, end-user machines used for multiple purposes), immediately upgrade security baselines to the **highest required classification level** mandated by any data component stored, acknowledging the practical limitation of mixed-use containers.
### Long-term Strategy (3+ months)
1. **Develop a Threat Model-Driven Test Plan:** Systematically model how an attacker could pivot between systems (leveraging weak links like monitoring boxes or configuration management endpoints) to reach critical systems or services, and use these models to define penetration testing and vulnerability scanning priorities.
2. **Strategic De-integration for High-Risk Services:** Evaluate the feasibility of radically re-engineering high-risk business processes (like PCI scope reduction suggests) to segregate data and control planes further, provided the associated business integration costs are acceptable.
3. **Mature Control Implementation:** Move toward adopting mature Digital Rights Management (DRM) or data loss prevention (DLP) solutions only once robust system-level boundaries and functional criticality mapping are established, as these DRM solutions are noted to be less mature/widespread.
## Implementation Guidance
### For Small Organizations
- **Focus on Access & Function:** Prioritize strict access controls and strong authentication (e.g., MFA) on systems performing critical functions, even if they don't store large volumes of data.
- **Simplified Segregation:** Implement hard segmentation (VLANs/Firewalls) between servers hosting core business logic and general user workstations.
### For Medium Organizations
- **System Audits:** Conduct comprehensive configuration audits on all shared infrastructure (e.g., domain controllers, shared SQL instances) to document all associated trust relationships.
- **Pilot Threat Modeling:** Select one critical application flow and conduct a basic threat model exercise to identify the weakest link (pivot point) in its chain of trust.
### For Large Enterprises
- **Automated Trust Mapping:** Invest in tools capable of mapping authentication flows and service account usage across complex, multi-purpose environments to identify undocumented trust paths.
- **Standardized Functional Rating:** Develop an internal standard for rating system *functionality criticality* that must be used alongside data classification during asset onboarding and configuration management review.
## Configuration Examples
*The context does not provide granular technical configuration examples (e.g., specific firewall rules or registry settings). The guidance focuses on architectural/policy decisions.*
**Architectural Guidance Example (Handling Shared Containers):**
If a single SQL cluster supports both Customer PII (High) and internal operational metrics (Low), the default configuration stance must adhere to the **Confidentiality/Integrity/Availability requirements of the PII data**, even if the operational metrics dominate transaction volume.
## Compliance Alignment
The focus shifts from simple data tagging (often required by classification frameworks) to an approach more aligned with **NIST SP 800-30 (Risk Management)** and **ISO 27001 (System Context and Risk Assessment)** by prioritizing based on exploitability and impact derived from system architecture.
- **NIST CSF (Identify & Protect):** Mapping business impact (functionality) and systemic weaknesses (pivoting) maps directly to defining assets and implementing protective measures based on the attack path likelihood.
- **ISO 27005:** The recommended approach forces a risk assessment that evaluates organizational risk derived from *process disruption* (functionality) and *system exploitation* (pivoting), rather than just data loss magnitude.
## Common Pitfalls to Avoid
- **Over-reliance on Data Labels:** Do not assume that a system hosting only "Public" data is low-risk if an attacker can use it as a jump box to compromise an adjacent system containing "Confidential" data.
- **Ignoring Function Over Content:** Failing to secure systems that *perform* sensitive actions (e.g., transaction signing, service control) simply because they do not store the underlying sensitive material.
- **"Cost-Saving" Container Consolidation:** Resist the temptation to keep diverse, high-risk systems consolidated merely to save on licensing or infrastructure costs if this fundamentally prevents adequate security isolation.
## Resources
- **CERT/Carnegie Mellon's OCTAVE Methodology:** Useful for understanding asset grouping and control mapping within complex information containers.
- **Threat Modeling Frameworks (e.g., PASTA, STRIDE):** Used to model the attack paths and pivot points described, helping move beyond simple inventory checks.
- **VERIS Metrics (Preliminary Work):** While not fully defined in the text, referencing industry models that integrate breach data helps prioritize testing based on observed attack patterns.