I delivered the Information Centric Security Lifecycle presentation at Tech Target ISD. In it I went over all of the phases of the lifecycle, from creation to destruction, and discussed all of the tools and methods one might employ, along with a couple of different models for Information Centric Security. At the end I was asked a question from the audience about "Where Do I Start? If I wanted to begin this at my company today, where would I start?"
It is a surprisingly simple question, but one that I am not accustomed to answering, and I think that I did a poor job in addressing. I basically pointed the guy back to the lifecycle and said "If it's new data, go through this process. If it is existing data, go through this process". Technically sound, but not very helpful. If you are working at a large firm with hundreds of legacy systems and data strewn all over the place, the challenges are far greater than that. It's not just a question of picking a model and adopting it, but what data, what tools, what policies, what security model, and how do all of these choices affect every single thing I do in IT, adversely or otherwise.
I have talked about different ICS models in previous ICS Posts. One of the Information Centric Security Models that I am a big fan of, the virtualized application space, limit's the scope of use for data to that application space, and implements it's security and privacy policies based upon the assumptions of a small domain of users and functions. The down side of the model is that this does not take into account other applications, and does not readily adapt to generic data at the end points. It's more focused than that, and while it can provide a very granular data security model, as well as mediate end user and corporate data security policies, it is lacking in flexibility. The digital rights management systems that I have seen that mimic this model do not account for the data sprawl problem and do not assist the IT professional in getting a handle on existing data.
I realize that in the adoption of Information Centric Security, the Data Loss Prevention (DLP) vendors that are moving into this space have done something very pragmatic, and very right, in that they are somewhat agnostic in their securing of information. The idea is to analyze and protect everything that they can view, from the network to the end point. The proceed from the premise that both they are not aware of all of the information that is on the network, and that users will try to bypass the controls. To address they set up the application at logical choke points (users machine, network), constantly scan, analyze and enforce. This is why I tend to call DLP a data centric security model as opposed to ICS, and I tend to criticize it's general efficiency. Still, there is a tremendous practicality in the approach, for it automates much of the discovery, analysis, protection and policy enforcement on an existing body of data as it moves around an enterprise. It provides the means to move from a network or host based security philosophy to a information centric one. I assume that the vendors will migrate into being application context aware in the future, but for now, what they offer may be enough for most enterprises.
I did not get up on stage and pitch DLP, but I must say that the tools and approach of DLP does offer an advantage when considering how to move to a data centric security model. If you are wondering where to start, the content discovery, analysis and generic policy enforcement tools within many of the DLP suites offer some advantages.