Definition of an expert -- someone who's read the next chapter in the textbook, and knows what's coming.
Hopefully I can share with you my thoughts about what's coming next in security.
First, I am no security expert. I can't even fake it well. But I like to consider myself a thoughtful watcher of information trends, and try to bring a different perspective.
The idea is information security -- and I'd like to attempt an explanation as to what it is, why I think it will be the dominant security model in the coming years, and what technology capabilities will be needed to implement it.
Hopefully, we'll dig into details later; for now, I'll try to keep to what I think are the core concepts.
Security Today
The first concept is a description of where most security focus seems to be today -- protecting the perimeter around information. The dominant model appears to be protecting physical entities: the network, the server, the application.
At the risk of oversimplifying, the goal is to keep the bad guys and the bad stuff out.
That's fine, but in many regards, I'd offer that this model is reaching its limits. More often than not, once I'm authenticated for access to a resource, I'm free to do pretty much whatever I choose with the information I can access.
I can save sensitive information on my laptop or a file share. I'm free to print it out. It's OK to email it to someone else. Maybe I'll put it on a flash drive and take it home. Once I get permission to access it, it's all mine.
Feel free to send me your stern memos about policies and procedures. If I choose to ignore them, there's not too much you can do.
I felt sorry for the poor guy at the VA last summer. Downloaded a bunch of sensitive data to his laptop, took it home to work on a few queries and reports, and the laptop got stolen. Turned into a congressional investigation.
How many of us didn't have a sobering moment when we heard the story?
The Context Is Changing -- Fast!
The second concept is that the societal context is changing -- perhaps faster than anyone expected.
If personally identifiable information gets out into the wild, (names, phone numbers, addresses, health records, etc.) you have to disclose it to the people who are affected.
1996 Direct Mail Campaign: "You May Have Won $1 Million!".
2006 Direct Mail Campaign: "You May Have Lost $1 Million!".
I will not be surprised, if -- in a few years -- lawmakers pass a rule that basically says if you store personally identifiable information in any form, you must keep it encrypted at all times, and provide an audit trail of who accessed when for what purpose.
This is a very different problem, with a very different context, than most security thinking. But I and others think it will be the dominant model in just a few years.
Think HIPAA with a whole lotta more teeth in it.
So, what's the answer?
The third concept is that the basic viewpoint has to change -- I (and others at EMC) believe that the primary focus going forward will need to be on protecting the information elements themselves.
Protecting the containers and the transports can only get you so far.
It's a fundamental shift in perspective, but it's the only one I can see that has a hope of adequately addressing the challenge. Unless we focus on directly protecting the information -- who can use it, under what circumstances, independent of infrastructure -- we'll all be doomed to a duct-tape-and-rubber-band sort of approach.
Key technologies required
One key technology will be DRM -- digital right management. Encrypt the information item in an envelope that can't be accessed unless it's authenticated.
Think iTunes for corporate data.
BTW, this implies that sensitive information has metadata, which also implies a repository of some sort. It also implies some tool set that can scan information sources and identify potential candidates for information that ought to be a bit more secured.
Another key technology will be identity management -- proving who you are, no matter what kind of device or application you're using. Ideally, an ability to force on-the-spot authentication using a variety of means depending on context.
You'll need a good centralized coordination infrastructure to bridge the link between information and identities: tools to create policies and profiles, authenticate (or deny) in real time, plus logging and auditing and all that it entails.
And finally, you'll need application integration -- the ability for secured information objects to appear in context dymanically, but with use restricted.
Example: you can see the document, but you can't save the sensitive bits -- those have to come from the repository. You can try and save the bits to a flash drive, but you'll only end up with swiss cheese, there will be holes where the sensitive bits aren't there, because you're not authenticated. Same with printing, or emailing.
Sensitive information will have different rules, which applications will learn to comply with.
A Mental Exercise
So, imagine a world where all sensitive personal information is protected by DRM, and lives in a repository. Protected information can be accessed as needed, but won't be usable unless you're authenticated to use it in a particular context, and nothing more. Of course, the fact that you used it in some fashion is fully logged for later analysis if needed.
Think, just for a moment, all the thorny problems that go away:
- The "need to encrypt backups" problem goes away, by definition
- The "need to lock down desktops, USB ports, mobile devices, etc." largely goes away
- The "who accessed what information, when" problem goes away
- And, as rules and roles change, it's easy to change a few policies, and everything works
Now, maybe I'm being a bit optimistic here, but does anyone want to propose an alternative approach to the problem?
How about welding all USB ports shut? Disabling all printer ports? How about prohibiting email? Encrypting every backup, and managing every key? The alternatives are not appetizing.
Look, sensitive information should live in a repository, anyway. All I'm proposing is to add some DRM, tie in identify management, extend existing policy and assurance mechanisms a bit, and you're pretty much done.
Can people find holes in this? You bet.
No one has figured out (yet!) how to protect against someone with a digital camera taking pictures of a computer screen.
And yes, theoretically, just about any DRM can be cracked if you throw enough computational power at it (or get lucky).
And of course, the old saw is true, the tools are only as good as the people who use them.
But -- just for a moment -- think about all the sensitive information lying around that's sitting in clear text. Think about our total lack of ability to figure out who's seen what, and what they've done with it.
And ask yourself -- do you feel secure that your personal information is being adequately protected?
I know I don't ...
Use Cases -- Where First?
I'm going to go out on a limb here a bit.
EMC has assembled many of technologies required (Documentum, RSA, Authentica -- to name a few), and we're starting to deploy them in use cases that approximate what I'm describing here.
Where are we going to see this technology deployed first?
Sensitive government information is a quintessential use case. It's obvious why -- "protecting the information" makes sense in this context -- sensitive information has been labelled ("Top Secret") and policy controlled ("Eyes Only") for many decades -- so there's a model that simply has to be translated to the digital world. It doesn't take a huge leap of faith to see the information security model I've described working for this world.
The real question is -- what's next?
I think financial information (credit cards, related addresses, etc.) might be next. The penalty of screwing up is that your customers get their identity stolen, which not only costs money, but can be actionable in a court of law, besides making great headlines. Where the stakes are high, companies are likely to invest. Trust me, in the end, it's all about money.
Health care information might be seem obvious to some, but I'd argue that the penalties for screwing up aren't severe enough to force behavior change, IMHO. Ever heard of a major court judgment against a health care company for leaking out medical records? Sad, but not expensive.
Insurance companies might be a surprise candidate. In an effort to manage risks better, they collect an enormous amount of information on their customers. Fine, up to a point. And if it leaks out, people are gonna be real upset.
So, are you ready for a paradigm shift?
The world of security is all about identifying and remediating threats. But sometimes new classes of threats force a model change.
I'm arguing that when one considers protecting the information (vs. protecting the infrastructure), it's enough to force a model change.
And -- I encourage you to do two things.
First, watch carefully when and where this sort of information-centric approach is adopted. I've found that watching where new technology is first deployed gives you a better sense of what the actual value might be, so it's illustrative.
But, more importantly, decide whether this trend applies to you, and -- ultimately -- when it's going to be an issue for you, your company and your situation.
No saying whether this is the next chapter in the security textbook -- but, if it is -- hopefully you can get ahead of the curve and be an "expert".
Comments