I predict this will be a watershed moment in terms of focus on security of DATA, and (thankfully) take the primacy away from perimeter, network and host security (which in my opinion has consumed an inordinate share of attention, leaving the ONLY UNIQUE [information security] AND IRREPLACEABLE ASSET EACH ORGANIZATION HAS – their data – to languish in insecure obscurity. Let’s hope this helps get those infosec security audit & remediation efforts refocused on the ASSETS, not on the IMPACT, part of the threat analysis equation.
Not to underestimate the efforts this will kick off, I believe those truly interested in securing the privacy and confidentiality of their customers’ data (credit cards, PII and other privacy-occluded data) will have to spend considerable effort on:
- re-examining their business process data flows, and the processes for assuring the security of the data at all stages (and throughout the process) in its storage, processing and transmission
- cryptography and key management – not just in implementing “encryption”, but in ensuring that the implemented encryption isn’t just an obfuscation step – that the encryption provides real security benefit against the expected (and likely) threats
- backup and recovery processes, to ensure data is handled in “archived” form just as securely as in “live” form
- ensuring they have good reasons to collect any and all data from or about their customers, and having solid justification for storing any of that data (whether short- or long-term).