Identifying and understanding high-value digital assets in the context of the business is critical in assessing what work-loads to move to the cloud. But doing so is difficult without an effective model to help define and classify these assets. This session presents a down-to-earth methodology for identifying assets and understanding their value that you can apply in critical business decisions. Objective 1: Understand what to look for when identifying valuable information assets. After this session you will be able to: Objective 2: Identify critical steps in the process of identifying and understanding digital assets. Objective 3: Apply asset value when deciding what digital assets to entrust to the cloud.

1. Identifying the Value of
Informational Assets
Before You Move Them
to the Cloud
Jason Rader
Chief Security Strategist
RSA, the Security Division of EMC
© Copyright 2013 EMC Corporation. All rights reserved.
1

2. Roadmap Information Disclaimer
 EMC makes no representation and undertakes no obligations with
regard to product planning information, anticipated product
characteristics, performance specifications, or anticipated release
dates (collectively, “Roadmap Information”).
 Roadmap Information is provided by EMC as an accommodation to the
recipient solely for purposes of discussion and without intending to be
bound thereby.
 Roadmap information is EMC Restricted Confidential and is provided
under the terms, conditions and restrictions defined in the EMC NonDisclosure Agreement in place with your organization.
© Copyright 2013 EMC Corporation. All rights reserved.
2

3. How do we value information?
© Copyright 2013 EMC Corporation. All rights reserved.
3

4. Bits vs Bits
 On one hand, we have bits of data
 On the other, we have MANY “bits” of money
© Copyright 2013 EMC Corporation. All rights reserved.
4

5. What’s the Conversion Rate?
 10 Bits = €10?
 1 Gigabit = £1,000?
 1 Byte = 2 bits?
 Where is this rate? How do I use it?
– Doesn’t exist!
– Too many factors affect it to map globally.
© Copyright 2013 EMC Corporation. All rights reserved.
5

6. A Scholar’s Definition
 “Information value arises as the difference between
a decision maker’s payoff in the absence of
information relative to what can be obtained in its
presence.”
 This works for theft, but what about copy?
– China/Mr. Pibb Problem
– Once copied, is it a race to the bottom?
Banker, R. D., & Kauffman, R. J. (2004). The evolution of research on information systems: A fiftieth-year survey of
the literature in management science (Vol. 50, pp. 281-298): INFORMS: Institute for Operations Research.
© Copyright 2013 EMC Corporation. All rights reserved.
6

7. How do we classify info today?
© Copyright 2013 EMC Corporation. All rights reserved.
7

8. Why is information classification broken?
 Typical classification systems
are problematic
– Lack definition (what
constitutes info of
this kind?)
– And automation
(teach systems to
handle)
– Don’t address individual
data value (is a vault
required?)
© Copyright 2013 EMC Corporation. All rights reserved.
8

9. Four Dumb* Classification Schemes
 Structuralist (Focusing on regulatory compliance)
 Realist (Stuff we care about, stuff we don’t)
 Broker (risk-based, three tiers, soft chewy middle)
 Striver (Everyone hates this guy, 3+ tiers, highly
structured, opportunities for automation)
Information Classification: An Essential Security Thing You're (Still) Not Doing, Trent Henry, Gartner
© Copyright 2013 EMC Corporation. All rights reserved.
9

10. Opportunities for Attack
 Attackers and companies never value data the same.
There are reasons for this:
– The data itself isn’t valuable without the
knowledge/hardware to monetize it
– Secondary/unused business data is ignored
– Differing interpretation of value lifecycle
© Copyright 2013 EMC Corporation. All rights reserved.
11

11. How do we identify these opportunities?
 The value of information to us (Vc) varies widely
 As does the payoff for an adversary (Pa)
 Where those differ, we have opportunity (O)
– This could also be described as inefficiency
 This opportunity can be expressed as:
O = Vc - Pa
© Copyright 2013 EMC Corporation. All rights reserved.
12

12. How do we identify these opportunities?
O = Vc - Pa
 Positive values of O suggest we know and understand the
value, and attackers cannot monetize
 Negative values of O suggest we have high risk data that
attackers want, but we devalue
 Small values of O indicate matched intent
 Large values of O indicate inefficiency
© Copyright 2013 EMC Corporation. All rights reserved.
13

13. Examples of how this works:
O = Vc - Pa
 Credit Card Information, 30m HQ Numbers
– Low value to company, transactions settled
– HIGH payoff to adversary ($1/card = $30m)
– Hugely negative Opportunity value
 Manufacturing process for IP, control SC
– Payoff is low to adversary due to supply chain
– If high spend on security, could be reallocated to other areas.
© Copyright 2013 EMC Corporation. All rights reserved.
14

14. The Value of Information Over Time
Max Value
Value
Area under this curve
= money for
information owner
Time
© Copyright 2013 EMC Corporation. All rights reserved.
Information
eventually becomes a
liability
15

15. Events Occur, changes the curve
Max Value
Value
Information is now
copied, breach occurs
Time
© Copyright 2013 EMC Corporation. All rights reserved.
The loot
becomes divided
among holders.
16

16. What’s interesting about these curves?
 This one is a sample, but somewhat representative
 Curve notes:
–
–
–
–
Each ACTOR has their own curve
Curves can be steeper or flatter
Curves can converge/diverge with actor action
Curves only represent value for the ACTOR (i.e., unrealized
value may not be represented)
– Eventually, information becomes a liability
– Impending threat mirrors value curve
– Think about a zero day exploit on its own curve
© Copyright 2013 EMC Corporation. All rights reserved.
17

17. Beginning to translate these curves
 Information’s value varies over time
– We need to consider malicious actors when planning
information security defenses
– Blanket controls cause inefficiency
 When curves converge/diverge…
– Values can dramatically consolidate/divide
 Curves represent potential value to the actor
– Pent up value may exist without realization
© Copyright 2013 EMC Corporation. All rights reserved.
18

18. We need a new model
 Minimum model requirements:
– Information grouped by value
▪ To ME
▪ To Competitor/Military
▪ Only if LOST
– Address information value over time
▪ Information changes in value over time
▪ Usually depreciating, some more rapidly than others
– Reflect # of actors and motivation
– Reflect change in motivation based on payoff
▪ Market forces can dramatically alter this
▪ Large data stores are more attractive than small ones
© Copyright 2013 EMC Corporation. All rights reserved.
19

19. Moreover: The model needs to be simple
 No industry jargon
 No dictionary required
 Not dozens of pages
© Copyright 2013 EMC Corporation. All rights reserved.
20

20. Simple, Yet flexible
 Must be able to adjust with value changes
 Must rely on accurate inputs
–
–
–
–
–
–
Numbers of actors
Projected payoffs with data theft
Strength of perimeter defenses
Number of business processes using the data
Amount of data sprawl
Account for amount of data as a change in payoff
 Must be able to affect security posture
21
© Copyright 2013 EMC Corporation. All rights reserved.
21

21. How SHOULD we view the world?
Secret Sauce
Intellectual Property
Software Vuln DB
Corp Strategy
Crown Jewels
Easily Transferrable IP
Actionable IP
Encryption Keys
COMPINT
Defense Information
© Copyright 2013 EMC Corporation. All rights reserved.
Customer Analytics
IT Configs
Biz Processes
Valuable to me
Derivative Data
Analytics for Sale
Medical Records
Valuable to
Competitors
or Military
Valuable if
Lost
CC Data
PII/PHI Data
Unused Biz Data
Disinformation
Old Source Code
Old IP
Old/Retired Encryption Keys
22

22. The Model
Value to
You
Value to
Comp.
Value
if Lost
1
50
2.3B*
Y
N
N
Customer Analytics
IT Configs
Business Processes
N
Intellectual Property
Secret Sauce
Software Vuln DB
Corp Strategy
Y?
Old Source Code
Old IP (where new IP is
derived)
Old encryption keys
Y
N
Y
Y
© Copyright 2013 EMC Corporation. All rights reserved.
Examples
Breach
Prob.
Biz Impact
Low
A/I
Med
C–Delayed
Risk
A/I Immediate
ACTION
Number of Potential Actors
Med
C/I
Secured, but
not vaulted
Protect (Vault)
C: Destroy
I: Secure
Archive
23

23. The Model (part 2)
Value to
You
1
N
Value to
Comp.
Value
if Lost
50
2.3B*
N
Examples
Biz Impact
ACTION
Number of Potential Actors
Y
Credit Card Numbers
PII/PHI
Unused Biz Data
Low (High
Impact)
C
High
C
Y
N
Y
Sec. Data Analytics
(revenue)
Medical Records
High roller customers
Proprietary Algorithms
Financial Results
Y
Y
Y
Crown Jewels
Easily transferrable IP
© Copyright 2013 EMC Corporation. All rights reserved.
Breach
Prob.
High
(# Actors)
C
Outsource
Destroy
Obfuscate
Protect IP
(Vault)
Secure Data
Protect (Vault)
24

24. Payoff
The Relevance of Data Mass
Amount of data
© Copyright 2013 EMC Corporation. All rights reserved.
25

25. Combating Risk from Data Growth
 Reduce data stores
– Truncation
– De-value options (tokens)
– DESTROY
 Reduce the effective size
– 1M records / 10 keys =
100K recs!
– Multiple algorithms
© Copyright 2013 EMC Corporation. All rights reserved.
26

26. How to apply the model
 Look at the kinds of data your business controls
–
–
–
–
Try to define what it is, then relate it to the model
Be sure to find information NOT IN USE
Understand flow and sprawl of data
Look for large values of O
 Add values where you can
– Valuing information is personal
– Use your own data
– Don’t rely on external sources to define data value
 Remember CONFIDENCE factor!
 Take Action Per the Model!
© Copyright 2013 EMC Corporation. All rights reserved.
27