Sure enough, we are starting to see some more posts on the subject. Rich Mogull took up the charge and put the stake in the ground with some guidelines for defining what constitutes an information centric security model. I am glad he did this, both from the sense that I think he did a great job, but also from the realization I cannot. While I am a big proponent, I have far too many pre-conceived notions about this type of security to provide a neutral definition that does not pre-suppose some deployment strategies. I am thankful he took the first step, and some of the heat for, proposing this model.
What I want to do to take this one step further is provide a tangible example of this model. I want to provide the simplest example of what I consider to be an information centric security. I have never spoken with Rich directly on this subject and he may completely disagree, but this is one of the simplest examples I can come up with. It embodies the basic tenants, but it also exemplifies the model’s singular greatest challenge. Of course there is a lot more possible than what I am going to propose here, but this is a starting point.
Consider a digitally signed email encrypted with PGP as a tangible example.
Following Rich Mogull’s defining tenets/principles post:
- The data is self describing as it carries MIME type
andattachment or you can encrypt the payload and leave business context (SMTPemail header) exposed. - The data is self defending in both confidentiality (encrypted with the recipient public key) and integrity (digitally signed by the sender).
- While the business context in this example is somewhat vague, it can be supplied in the email message itself, or added as a separate packet and interpreted by the application(s) that decrypt, verify hash or read the contents. Basically, it’s variable.
- The data is protected in motion, does not need network support for security, and really does not care about the underlying medium of conveyance for security, privacy or integrity. The verification can be performed independently once it reaches its destination. And the payload, the message itself, could be wrapped up and conveyed into different applications as well. A trouble ticket application or customer relationship management application are but two examples of changing business contexts.
- The policies can work consistently provided there is an agreed upon application processing. I think Rich’s intention was business processing, but it holds for security policies as well. Encryption provides a nice black & white example as anyone without the appropriate private key is not going to gain access to the email message. Business rules and processes embedded should have some verification that they have not been altered or tampered with, but cryptographic hashes can provide that. We can even add a signed audit trail, verifiable to receiving parties, within the payload.
I might add that there should be independent ‘Brokerage’ facilities for dispute resolution or verification of some types of rules, process or object state in workflow systems. If recipients can add or even alter some subset of the information, who’s copy is the latest and greatest? But anyway, that is too much detail for this example.
The fundamental problem with this model? People. If you do not trust the recipient or user of the data to whom you have provided credentials, the model does not provide privacy. Un-trustworthy recipients can leak sensitive information. In our example, hopefully we did not send the email message to them, but obviously we do not always know who we can trust, or under what certain circumstances we trust a person. This is serious, but no less of a problem than in just about every other information usage and sharing system ever created.
A note on DLP and Information Centric Security: Security that acts directly upon information, and information that embeds it’s security are different concepts. IMO. Under a loose definition, I understand how one could view Data Loss Prevention, in context Monitoring/IDS and even Assessment as a data centric examination of security. But this is really not what I am attempting to describe. Maybe we change the name to Embedded Information Security, but that is semantics we can work out later.
One of the commenter’s on Mogull’s web site references both the Bell-LaPadula and Clark-Wilson. These papers are relevant and I will discuss in a future post, as well as the topic of evolutionary change and novelty. For now, I just want to propose a tangible example.
### Update ###
Hoff was kind enough picked up this post on his blog. Chris is right that the first bullet is very confusing. What I meant to say is that the business application, email, is self evident. The email header remains as it would normally be. The information is self describing as it is tagged as encrypted content in the message body, or could be an attachment to the email. I mentioned MIME purely for non-text based attachments. Sorry about the word jumble.
Comments
You can follow this conversation by subscribing to the comment feed for this post.