Skip to main content

Protect Information Not Data

In an ideal world, should we not be protecting information instead of data?  This is an interesting concept.  We backup data.  We secure data.  We create and manage access control lists that allow the subject, access to an object.  The object is generally classified as data.  We talk about 'big data'.  Moving data to the cloud and so on.  But is the data component actually that important?  Obviously certain individual pieces of data are very important.  Certain documents, files and so on, have significant importance and exposure levels.  But on the whole, is an organisation run on data or information?

I guess we need to define both of the key terms here.  What is 'data' and what is 'information' and more importantly what are the differences?

What is 'data'?

A basic technical definition would be that data is the low level bits and bytes of an object.  This object on its own, comprises of basic, raw and unorganised facts.  The actual word would have a Latin equivalent of 'datum' to mean 'that which is given'.  As humans - or managers, analysts and so on - we need to interpret the data for it to become useful.  For example, backing up an email file such as .pst, is pretty useless in providing email reading and writing capabilities, without being able to interpret that file via an email client.  The same can be said of data.  Without the interdependence with other data sources and analytical tools and frameworks, data has limited use.  If you were given an exam score of 65, that 65 on it's own is pretty useless, without knowing the pass mark, maximum score, comparative scores, averages and so on.

So what is 'information' then?

I'd describe information as being data that has been interpreted, organised and given some context.  Once the context has been identified and applied to a singular piece of data, that can then be communicated and reported to others, making it useful information.  That information in turn can be used to develop intelligence over time.  An organisation as a whole, whether that's a manufacturing or service based company, will really function on information.  Information creation will start through interpreting the raw data, where information management takes over via analysis and collaboration and ultimately ending up with information dissemination either internally or to clients with products messages delivered.

The point of an information management system

The information management system (IMS) is ultimately the mechanics between the raw data and something useful at the end.  IMS's will take an input, perform some processing and deliver an output.  In addition you'll probably have some control and feedback components too.  An IMS will also contain an important couple of ingredients: people and processes.  Whilst many organisations would love automate as many people related tasks as possible, raw humans still have a pretty important role to part in any information chain.  They can add adaptability and rationality to decision making - as well as the opposite in some cases too.  But human knowledge is still an huge part of an organisations successful output.

Protecting the entire information chain

This brings me back to the main point.  Don't just protect the individual data component of the information chain.  Without the other ingredients, including people and processes, the data itself can have limited use.  Backup and recovery techniques should really look to contain the people and process related aspects, even if those components are not initially easily committed to tape the same as a database.  From a security perspective, an organisation should be protected from multiple levels, which would also include the processing and output components.  Processing could include collaboration tools  and techniques, analysis and reporting too.  Output is often an area which is often protected from the outside in - ie lets stop people seeing stuff we don't want to them see.  It should also be focused on internally, to make sure information going outbound is sufficiently restricted, managed and recoverable.





Popular posts from this blog

2020: Machine Learning, Post Quantum Crypto & Zero Trust

Welcome to a digital identity project in 2020! You'll be expected to have a plan for post-quantum cryptography.  Your network will be littered with "zero trust" buzz words, that will make you suspect everyone, everything and every transaction.  Add to that, “machines” will be learning everything, from how you like your coffee, through to every network, authentication and authorisation decision. OK, are you ready?

Machine Learning I'm not going to do an entire blog on machine learning (ML) and artificial intelligence (AI).  Firstly I'm not qualified enough on the topic and secondly I want to focus on the security implications.  Needless to say, within 3 years, most organisations will have relatively experienced teams who are handling big data capture from an and identity, access management and network perspective.

That data will be being fed into ML platforms, either on-premise, or via cloud services.  Leveraging either structured or unstructured learning, data fr…

Customer Data: Convenience versus Security

Organisations in both the public and private sector are initiating programmes of work to convert previously physical or offline services, into more digital, on line and automated offerings.  This could include things like automated car tax purchase, through to insurance policy management and electricity meter reading submission and reporting.

Digitization versus Security

This move towards a more on line user experience, brings together several differing forces.  Firstly the driver for end user convenience and service improvement, against the requirements of data security and privacy.  Which should win?  There clearly needs to be a balance of security against service improvement.  Excessive and prohibitive security controls would result in a complex and often poor user experience, ultimately resulting in fewer users.  On the other hand, poorly defined security architectures, lead to data loss, with the impact for personal exposure and brand damage.

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:


Customer Identity ManagementThe start of IoT security awarenessReduced Passwords on MobileConsumer PrivacyCloud Single Sign On
In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?


Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offer…