I once heard Bruce Schneier say, “data is a toxic asset.” The idea resonated with me. In a large fraction of breaches, the damage comes from the exposure of confidential information rather than from impacts to integrity or availability. From my days building anonymity systems in the early 1990’s, my prime directive has always been to minimize or eliminate potentially damaging data from operational systems.
The principle is very simple: if the data is not there, it can’t be stolen or leaked. For anonymity solutions, this means that the system should never have information about who is doing what, even in real time.
Storage is so inexpensive that many businesses are tempted to over-store information; after all, it might be valuable at some time in the future. It can also cause a huge amount of pain at some time in the future. There are two ways of minimizing the potential damage. The first is to work hard to minimize the amount of information being stored. What do you really need to keep, and how long do you need to keep it?
Automatically purging unnecessary information immediately reduces the amount of potentially toxic data in your network.
A second approach is to distance the data from your attack surfaces. If your systems don’t need real-time access to certain information, it should not live in the database your front-end and web servers talk to. You can substantially reduce the damage from many attacks by moving that data to off-line or near-line storage that is only accessible from well segmented back-end servers.
The same approach can be applied to your own desktop where the attack surface is mostly your browser and email. If an attacker can successfully attack you through either, they have direct access to the data on your computer. Fortunately, you can put distance between those vulnerable surfaces and your computer using virtualization. By running those applications in a virtual machine (VM), either local or remote, you exponentially increase the difficulty of getting to your data.
With the potentially toxic data isolated from your vulnerable environment, the damage from a breach is very limited.
Data really is a toxic asset, and when it gets leaked, the toxic waste cleanup can be very damaging. If you limit your exposure to these risks by eliminating the data completely, minimizing how long you keep it, and walling it off from your exposed attack surfaces, the probability of a leak and its subsequent size are vastly reduced.