Complexity and Implementation
I selected the email example on Information Centricity for a couple of different reasons. One of which was based upon several Blog posts out there talking about what changes would need to be made to the infrastructure, or basically ‘how do we get there from here’. And now that I have seen Mike Rothman’s comment that “I'm not going to be so bold as to say it isn't happening, but it's nothing I've seen before” I am glad I did. When you start thinking about how to implement Information Centricity, let’s say in an SAP environment, it’s enough to make your head explode. I wanted to start small to demonstrate a couple ways Information Centricity addresses security issues in changing IT landscape.
As email is ubiquitous, and email tools are prevalent, I felt that this was a good illustration. All I really need from the technical side is for a tool kit/extension onto my favorite email tool that can handle keys, digital signatures and encryption. From a people/process side, I simply need agreement on what we will use and the exchange of keys. This is not a big change in technology. But it is a fairly significant change in perspective.
The typical IT security model is to start with systems & processes to perform business functions, and then patch security on top through various preventative and detective controls as new threats emerge. Information Centricity we start with secure data. Then we embed rules on how and when it gets used. It doesn’t mean we are throwing existing systems out, rather we are changing the nature of the information that flows through them. Systemic rather than additive. Assume insecure and uncontrolled, then enable as trust is established.
Comments
You can follow this conversation by subscribing to the comment feed for this post.