Information architecture techniques can be used as a mechanism for abstracting information content and modelling flow for the purposes of security classification using an enterprise framework based on the TOGAF model to identify possible attack vectors.
One of the most difficult aspects of managing an enterprise is having to identify information vulnerabilities in a mass of data and systems. The CIO or CISO is responsible for ensuring the privacy of customer data, records or internally sensitive documents yet does not benefit from being in constant contact with the staff that use and steward sensitive information. This is without the added complications of remotely hosted, cloud based, outsourced or third party information exchanges.
Enterprise information systems are dynamic and built on process workarounds, varying hardware and software versions and embedded business decision logic. The data structures that comprise information packets can be difficult to interpret and often lie under layers of application code.
This layering is why information architecture is more useful than data architecture for vulnerability identification. The sharing, exchange, use and meaning of data is what makes it of benefit to the business, but also makes it a target for eavesdroppers.
Discovery and classification of information is normally carried out in the first instance by the personnel who are tasked with the everyday running and maintenance of the information handling systems. As a result, many of the efforts to document information flows are started from the bottom up by administrators, front line staff and IT.
Although this is a useful way to initiate a conversation about vulnerabilities it also requires a top down approach to be implemented. This is because almost all preventable information compromises can be traced back to decisions made in the business side of the information equation, where collaborative systems, people and business processes expose information objects (e.g. Forms, Records, Spreadsheets) to disclosure.
Information is at risk when it is at rest in a database or document store, when it is in transit (passed between systems and/or people) and when it is in use in processing or client facing use cases. Information architecture models all three scenarios (See sample diagram), in both online and offline scenarios.
Classifying Information Objects
A first step to identifying the potential areas of vulnerability lies in analysing and classifying the content of the information objects in use, both internal and externally shared with partners and customers. Start with the most sensitive information items.
Many business information objects are hybrids of different information records. An order, for instance may contain public information like product SKU and descriptions, but if an itemised web order contains SKU and credit card information the document classification of the business object would rise from Public to Sensitive.
Classifications are generally based on classification of content. A typical framework will pigeonhole document and information at a business level into the following:
- Sensitive Financial
- Sensitive Medical
- Sensitive Personal
- Restricted (Internal) use
Secret (not usually employed in most public organisations) and Sensitive data structures should always be subject to the most rigorous systems and business unit security, to protect from disclosure from internal or external eavesdroppers. The ‘chain of custody’ for sensitive information must be discovered, and the ownership and stewardship of the objects through their lifetime must be assigned. This includes analysis of the CRUD (Create/Read/Update/Delete) operations against each object type.
Information object vulnerability is defined within the boundaries of a space defined by:
- Business Process steps.
- Document Sensitivity.
- Internal /external sharing.
- Interface Mechanism and protocols.
- Data Store protections and ownership.
The vulnerability of each object is a function of all of these factors. Combining and weighting these scores the potential for information breach. Information architecture allows enterprise designers to ‘follow the information’ as it pumps its way around the organisation. Each business object data point has a multitude of factors affecting its vulnerability, and an assessment of these gives a vulnerability score.
Once the vulnerability score is calculated the classification makes it easier to put in place protections for the data. An architect could utilise a Framework like SABSA to provide recommendations to the business on vulnerability. Data stewardship groups can be used to assign business ownership to information objects independently of their system locations by utilising dependency checkers or by tagging the information objects in their systems of origin.