The theory is relatively simple: Information can be created and repeatedly shared at negligible cost, but cannot be easily deleted with any assurance regardless of the cost, and its value depends upon assurance of its provenance and confidentiality.
In other words, information is cheap, the challenge is proving it is correct and has not been shared.
This is a business management challenge, although technology is undoubtedly relevant, so we need to focus on what this means in the business context.
The obvious conclusion is that your business records should be stored using the most reliable technology affordable, using the most resilient technology to prove that it is correct, and the most secure technology to ensure it is only shared with authorised users, but ultimately success or failure will depend on your business processes and the behaviour and actions of your authorised users.
The principal officer of a business may quite naturally demand access to all business records, but this creates a single point of failure that will affect all business records in the event of their authorised user credentials being compromised, so we need to consider why they need such access and how they would use it in practice, in order to identify access controls that satisfy their requirements, without compromising the security of the entire organisations and all interested parties.
If we could solve this challenge, then it would be reasonable to assume that the principal officer of the business could delegate responsibility for specific business records to relevant authorised users, and would quite naturally require them to accept similar access controls to protect the business and all interested parties in the event of their authorised user credentials being compromised.
It would also seem reasonable to assume that any cyber-attacks against such a business would be disproportionately difficult, time consuming and expensive, relative to the security of the underlying technology, as a direct consequence of controlling data access on a need-to-know basis, and that this would significantly reduce the probability of attackers being sufficiently motivated to succeed.
Technology is critically important for any realistic implementation, but this should highlight the dependencies on the decisions and active participation of the management team.
It also highlights the dependencies on third parties within the information supply chain, and on their implementation of Secure by Default principles and practices, including all organisations involved in the creation, validation and operation of technology and equipment used to manage the business.
Finally, it places constraints on the design, development, validation, distribution and operation of the technology, because the officers of each business will need compelling evidence that they can trust the technology to act as expected, so every opportunity has been take to mitigate potential errors or omissions that might compromise security of the records the business relies upon.
Item added to cart