News: 1732086909

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Data is the new uranium – incredibly powerful and amazingly dangerous

(2024/11/20)


Column I recently got to play a 'fly on the wall' at a roundtable of chief information security officers. Beyond the expected griping and moaning about funding shortfalls and always-too-gullible users, I began to hear a new note: data has become a problem.

A generation ago we had hardly any data at all. In 2003 I took a tour of a new all-digital 'library' – the [1]Australian Centre for the Moving Image (ACMI) – and marveled at its single petabyte of online storage. I'd never seen so much, and it pointed toward a future where we would all have all the storage capacity we ever needed.

That day arrived not many years later when Amazon's S3 quickly made scale a non-issue. Today, plenty of enterprises manage multiple petabytes of storage and we think nothing about moving a terabyte across the network or generating a few gigabytes of new media during a working day. Data is so common it has become nearly invisible.

[2]

Unless you're a CISO. For them, more data means more problems, because it's stored in so many systems. Most security execs know they have pools of data all over the place, and that marketing departments have built massive data-gathering and analytics engines into all customer-facing systems, and acquire more data every day.

[3]

[4]

But they're mostly unable to identify all the data they hold, and are unsure if those who collect it understand the reputational and financial risks of a data breach – blame for which lands on a CISO's desk no matter who messed up.

CISOs therefore increasingly feel that the cost of managing data sometimes exceeds its value. Those I observed have found themselves wishing for a world with less data that needs securing.

[5]

While few CISOs would make that suggestion publicly – and fewer have any idea how to manage that feat – they do see the business proposition of "big data" shifting from a net positive to net negative.

[6]Copilot's crudeness has left Microsoft chasing Google, again

[7]AI has colonized our world – so it's time to learn the language of our new overlords

[8]AI stole my job and my work, and the boss didn't know – or care

[9]Big Tech's eventual response to my LLM-crasher bug report was dire

Welcome to the latest movement in IT's endless swings and roundabouts. Just as we've seen the center/edge debate in computing shift back and forth repeatedly over the last 50 years, we're now seeing emergence of another debate: data value versus data cost.

The mantra at the start of this debate – "data is the new oil" – looks to be replaced by another, [10]more accurate assessment : "data is the new yellowcake." For the unfamiliar, yellowcake is a radioactive, toxic, uranium oxide that can be further refined into a range of both very helpful and apocalyptically terrifying products.

Yellowcake and its derivatives also create a critical storage problem which, if mismanaged, draws intense attention from governmental and anti-governmental interests.

The best place for uranium is [11]in the ground – undisturbed, slowly decaying into lead. If we don't concentrate it, we don't have to manage the consequences.

[12]

Will we make the same decision about data? We concentrate data to increase its value – simultaneously amplifying the danger to our organizations. Beyond a certain point, organizations could well outrun their ability to manage their concentrated data securely – which could then lead to the whole situation going supercritical.

We don't know what a "data Chernobyl" might look like. With luck, we'll never see it. But playing with fire while relying on luck to keep us safe seems a guarantee for disaster. In order to keep data at arm's length, we've got to find our equivalent of the ' [13]glove box ' – managed carefully, and with a full awareness of the risks and costs of an accidental spill. ®

Get our [14]Tech Resources



[1] https://www.acmi.net.au/

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zz3BVVPLBgOPLAjC-o4zWwAAAE8&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zz3BVVPLBgOPLAjC-o4zWwAAAE8&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zz3BVVPLBgOPLAjC-o4zWwAAAE8&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zz3BVVPLBgOPLAjC-o4zWwAAAE8&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://www.theregister.com/2024/10/09/copilot_vs_notebooklm/

[7] https://www.theregister.com/2024/09/11/delvish_llm_language/

[8] https://www.theregister.com/2024/08/15/robot_took_my_job/

[9] https://www.theregister.com/2024/07/10/vendors_response_to_my_llmcrasher/

[10] https://www.theregister.com/2024/05/23/cisco_survey_2024/

[11] https://www.theregister.com/2017/06/02/uranium_producing_bacteria_underground/

[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zz3BVVPLBgOPLAjC-o4zWwAAAE8&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[13] https://www.nuclear-shields.com/nuclear-shielded-glovebox.html

[14] https://whitepapers.theregister.com/



Headley_Grange

It's a poor analogy. Uranium is intrinsically dangerous. Data is harmless until people do bad things with it.

hh121

Refined data might be (relatively) harmless when held by the white hat that refined it ("don't be evil" anyone?), but if it gets into the wrong hands...this is what CISOs are bricking themselves about. Seems like pretty apt analogy to me.

Nothing's going to stop most of these data gathering and refining exercises though, unless they are made illegal or highly regulated.

Anonymous Coward

I hope this catches on. Less data gathering could be very positive move for cost control and everyone's happiness.

Data is worthless

Harry Kiri

Data has no value. Information extracted from data has value. Just storing data and hoping for the best is bottom-up nonsense. You should understand what problem you're trying to solve, from this derive an approach and the data (and its quality) you need to support that. Data supports something you specifically want to do, its not an end in itself.

"We don't know what a 'data Chernobyl' might look like"

Pascal Monett

I imagine that the tens of millions of people who've already had their identity stolen and their bank accounts abused (not to mention their credit rating) might have a slight notion of what that might look like . . .

Good trend

veti

Someone - and I'm thinking CISOs as a group are better placed to do this than most anyone else - needs to quantify the true cost of collecting and keeping data. Then send that bill to the people (mostly marketing, I imagine) who do it.

Then maybe anyone who wants to add a new tracking cookie will need to submit a cost-benefit analysis. Maybe that will slow them down a bit.

The best place for uranium is in the ground

Neil Barnes

Unless you need it for something useful, like keeping the lights on.

So perhaps not the best analogy; I remain unconvinced about the benefits of critical masses of information. Mostly, _that's_ best left in the ground.

Glad to hear it's being discussed

Guy de Loimbard

Just because we can store data and keep doing so until either the cost of the cloud storage goes through the roof, or our NAS/SAN is full, doesn't mean we should.

The problem is as much about scalability without any real thought, as it is about whether we should be collecting so much data in the first place.

Just look at your classic office user, look at how large their email storage is, if it has a quota limit at all. Reams of inboxes have mega/terabytes of crap stored just because "I may need it" and there's no consequences if you don't manage it, until it's full of course.

My analogy to most users is: "If that was physical mail coming through your post box, you would have got rid of most of it within a matter of a day or two, why are you storing emails from 10 years ago?"

"Unlimited storage" is baked into the cost of your licensing most of the time, but it's well hidden to the point it doesn't appear to have an empirical value that can be scrutinised.

So, until we re-educate data users, we've got a long way to go before we can secure it all.

Oh My God! They Killed init! You Bastards!

-- From a Slashdot.org post