Bsides Oslo 2022 – Anthony Brown – Information Protection

hi good afternoon uh can I presume everyone has had a good lunch you're ready for the next quick session okay since time is as limited as it is I'm going to ask as you've all asked before keep questions to the end let me see what we can do there so today's talk is information protection or more specifically getting to information protection via information management and legal disclaimer firsts and foremost these opinions here are my own and not that's my employer there's a reason for that as you'll see when I talk about who I am so my name is Anthony Brown I am a South African now living here in Norway I have worked over the last 20 plus

years in some very industry very interesting organizations and very interesting Industries I've been both in the private sector working for manufacturing working with iot staff been working as working for some of the larger companies like Johnson Controls dnv always involved with something relating to I.T being the administrator been the infrastructure engineer working in security working in Cloud but of everything which also means that because I've been doing a bit of everything I've been involved in a lot of very interesting projects everything from our friendly Railway service to the people that check our Postage and stuff when we order something from the UK to recently seek his partner at the moment I am working for PWC hence

the comments these are my own opinions and not those of my employer now for me myself I like taking breaks biking the mountains over you might find me over a pot of good food or just sometimes shooting arrows at a stick in the garden because why not it sounds like a good idea at the time so first and foremost I need to limit some expectations some people have already come up to me about what they expect this talks about I need to break those all these expectations at once what I'm going to be talking about is not how to do information protection not water click not water switch on not how to configure I'm going to actually be highlighting

some of the pitfalls leading up to information protection as any one of you who has implemented something technical or it related in a company knows if you just do it but the company is not ready for it it's probably not going to go very well so I'm going to go through things to be aware of what you need to build up to what do you need to get started unfortunately I do not have the time to go into identity and access management which is also really important for information protection and information management but if you've got questions I'm available after we can talk about it so first of all what is information management now dig deed has got a really nice

comment which I will just read the translation is all organizations have a responsibility to manage the information that they own in a good manner but what does that mean what does it actually mean it means that all the information that we generate in our organizations we need to manage it we need to take care of it we need to follow it as it goes from creation through use through publishing to archival and eventually to the lesion well why is that information management was information protection well protection is exactly what this image shows we might have we want to protect it from things going wrong we want to protect it from accidental disclosure oh hey Ryan

here's a list of credit cards and click Send to everyone in b-sides oops or full-on disclosure so so you've been hacked someone's got into account and now has taken all your data publish it to GitHub guys I'm selling this now here's a sample that's information protection protecting information from people who do not or should not have a look at it and keep it safe was important well to start off with what is data what is information and quite simply it is anything and everything can be data or information we can have it as analog I can be in a shop all my inventory that's data it could be something taken on the pictures this very stream is data

somewhere that's for it's going to be on YouTube it's going to be on b-sides or it could be something in my paperwork we were talking about journalism early on with Bruno all their records all the data that they have there that's data that needs to be managed and we could be stored well in today's day and age we've got our Cloud we've got massive data centers we've got things spread around the globe we've got it in our closets under the escalator it can be digital it can be printed it could be on a memory stick okay and last but not least it's important to protect us and manage it because it can be easily moved as we

said before we could print it we could run it in today's journal to Morris newspaper sorry we could share it on social media we can publish it or more likely than not we just going to want to work with it what's the use of a full-on information protection and locking down of all my data if I cannot get my job done data wants to be moved it wants to be shared we want to go forward with it if that's the case we need to manage it now as I said before I'm not talking about information protection directly but I am going to talk about it because as you can see from these two blocks here management and protection they

actually link directly to each other and then from protection up to all my devices up to all my infrastructure up to all those that I identify with now in information of the world we follow an information life cycle from as I said earlier from creation through to your storage through to use through to archival deletion AKA we are retiring it no I'm not sending on to the farm I'm just going to retire it and then if you go to information protection side of things well now we want to discover where is my data is it on my mobile phone is it on sale once USB you visit on their computer is it on their drive somewhere in Dropbox

are the closets I want to say okay is this worth protecting no and no one really wants to know about my shoe sizes but you know what I might want to protect my information that's got to do with my HR records I might want to protect my personal information or or My accesses so I'm a system administrator great fantastic got all the rights you know I can't remember remember 500 passwords I'm going to make a list that list should be protected but the protected how well we could encrypt things we can make it that it doesn't get sent onwards we could do all sorts of wonderful things to it to keep it safe but at the same time with protection we

also want to monitor things change what today we classify or today we want to protect tomorrow might be a publication we are working on a company now company says to you know what we are doing a massive presentation it's going to be this big budgets product we're releasing right now secret secret secret finally protected but tomorrow we're going to tell everyone about it because we're going to sell it we won't monitor it we change things over time and as I said things can be anywhere on my infrastructure I'm talking about my servers I'm talking about my data centers I'm talking about anywhere in that I have something connected to my organization and with your identity it's not just you

and me as users also think about your identities as your services your applications your wonderful apis that are fetching things do they need that access on an API as you saw in our second presentation with an API you can get anything about your identities so let's go have some fun what can go wrong and oh boy so much first and foremost I've split up what can go wrong into different categories now first category no support initially that can you can take that to mean no support from leadership so you think it's a great idea right we are going to do an information management information protection for organization we want to do all this a new leader just goes on his phone oh

that's a great idea and it goes that way they're not interested and if my leader the boss isn't interested in me doing this why should all the other employees my colleagues be interested why should they do what the leader thinks is not worth the time so when you think in supports think that if I'm going to go for an information management protection system and implements a change that affects the entire organization and everything we do you're going to need leadership buy-in at the same token you could have the wrong support as I said in the introduction and just by show of hands how many years have implemented a technical solution then you've had I.T support and only it

support and the company did not like it but no okay very shy at least one honest person two honest people if you got the wrong backing and now again I mean when we do management and protection systems at this scale you need the backing of the entire organization you need the backing of the leaders across the board if just IIT says we are going to do this if security says you will do this and if compliance says we need to follow this but only they are interested then we've got the wrong sponsors because HR might think and it's not for me finance will think yeah whatever users having the right support the right sponsors very important

now another thing that can often happen and go wrong is you rush your planning you go full ball in without an idea and Rush planning can often come around especially now we had a wonderful experience 2017 2018 how many of you remember gdpr coming in and uh it was chaotic um at that time gdpr got activated I was still working in the schools the school systems and I thank you for schools all schools were prepared because schools have always we didn't have in Norway that law that said you should protect private information for schools it was you will predict private information so gdpr comes around was like okay some tweak here some tweak there we're good

to go businesses panicked um as you all saw so they rushed to do something not all of what they did went well same token unknown goals what are you aiming to do where do you want to go with this um it's kind of silly if HR says they want to protect information like this but finances they want to do it this way they've got different goals and if any one of you have ever tried to steer a horse carriage and one horse decides to go left and almost decides to go right you go nowhere other things that can go wrong is with communication what do you tell the users at the end of the day when you implement

Information Systems it affects users and if you tell them the wrong thing or even worse nothing at all then the imagination starts ticking oh you are going to be scanning all documents and files well is that on my private PC or my private phone what you're going to be checking what are you going to be doing um you know what Dr tocina I'm worried about this or I go to my union there's something wrong here and you've got to stop having a good communication plan explaining what's going to happen including people in your organization treat users as people have nice simple clear information that they can understand goes a long way to supporting you and lastly but not least now we get to

something that's a bit more technical um be very careful with what you configure if we go towards I do apologize for those of you at the back who cannot see three images over configured no maintenance and over eager now every eager and over and overconfigured he'd be the same thing but are not actually see overconfigured is we go full ball in decide to switch everything on do all these wonderful bells and whistles configurations and settings great but it is so over cumbers it doesn't work no one wants to do it if any of you have ever seen the government system and I mean the Norwegian government system in action when they say right yoga the park

path will be go north and be going west but it's to go around the park or what do people do they'll cross the park there's no path there is after one month there will be a path people will find what works for them despite what you overconfigure and sometimes what you can overconfigure can actually stop you from doing the job and then we go back to the situation where security is bad because it's stopping me from doing my job be careful with how much you configure and how much you think you should configure same token no maintenance you switch everything on perfectly as you need great it's running it's up and running it's doing its job and then you

walk away but going back to my last example rather starts information categories change importance changes maintain your systems maintain your categories so that you see stay up to date who year believes that security is done the moment we've got everything up and running and I'll be very liar um we're always busy maintain what you have now over eager things up and running the Nazi configured you're maintaining you know what let's switch on encryption by default let's switch on blocking for sending off things to external domains by default you get eager not it's going it's going great Next Step Next Step but you take it out of your plan phases you take it away from what you have

thought I'm going to do and suddenly you're in a situation where those people who are not ready for configuration those people aren't ready for encryption for blocking off domains for blocking of emails Etc they hit a brick wall and then you spend the next week two weeks month reversing everything and the next three months to a year trying to reinform everybody and build back up that trust back up to the level where things are working well so what do we do where should we start now very simply have the right sponsors have the right communication start up with finding someone or something to Anchor this to is there something happening in the organization that you can hook into with an

information protection system is there someone who can lead the Torchlight now we normally when we want to implement systems we want to be agnostic of a person you don't really actually want that person to be a figurehead because that person might leave but in this case you need someone to start and if you can anchor it in to the Right leader and build up the support from the leadership team then they can be then you can then it pulls the whole thing forward it leads it on and then you've got all the support behind it it leads it on it actually keeps going it could go fast sometimes it can go slow but it keeps going

have a defined goal have a defined Mission what do we want to do with this how do we want to proceed with it where do we want to go we can decide to say right we can have super ambitious goals and we're going to have realistic goals I think all that we are happy with what do we need to do that's the bare minimum that's the legal side what should we do that's what we desire that's where we want to be we want to make a high bar expectations will implements when you think about protecting your data it's not just the legal expectations what we have to do gdpr Norwegian law Financial law Etc but it's also the expectations

of your customers your users they expect we are going to treat our information or should say yeah our information at that organization we are going to treat it well well let's live up to that trust so we set our goals that we can achieve we set our goals the way we want to go and what we want to do we Define clear principles Define clear standards we're going this way now I have these slides we will publish somehow we'll get it out to you I have created an appendix in presentation inside of some bit more clearer things but more do this do this I advise this it's a good getting started it is both in Norwegian and in English

by all means downloaded help it to get you started now that is me if you want to get in touch with me feel free to send me an email I am on LinkedIn I don't mind DMs and if you've got any questions on both this for the business change or the technical side I'm available thank you [Applause] thanks Anthony