I was having lunch the other day, discussing Information Centric Security, with someone I had never met before. It was an amazing conversation, and it struck me as ironic that two people who have each spent the last dozen years at different companies working with different technologies have come to so many similar conclusions. Both in the deficiencies in how we use the security tools we have today, or more correctly, the mis-application of those technologies. We both had nearly identical concepts about how to move security forward, and how it will take a fundamental shift in the mentality and approach of the security practitioners to achieve these goals. Our consensus was that it is not so much a technology issue, but will require a fundamental shift in perspective to advance IT security from where we are today. There is more than enough technology available. Our technology tool kit is full of cool stuff. Technology is not the limiting factor. How we approach solving problems is. I called it an ‘Approach’, he called it a ‘Mind Hack’. Whatever. It is these types of meetings that keep me in this profession and get me excited about my work.
It is also interesting to see how biases and beliefs manifest themselves into different implementation strategies. Forgive the crude analogy, but while we both fervently believe in Information Centric Security as a model, we worship at slightly different altars of implementation. Some of us view the solution as a virtualized application space, which I believe is manifest of a business processing security perspective. Others view the solution as a packetized encapsulation of data objects, which I believe originates from a perspective of personal data protection. The former has a distinct advantage in the area of misuse detection and data policy management, the later has a decided advantage in privacy and application dependencies. There will be other proposals, which will all have a common thread that data will have a playground in which it is used, accessed and stored. The differences are where you draw your ‘line in the sand’, or the protective boundary around the data. Personally, the more the better as it shows the flexibility of the concept, but it can make it more difficult to get your head around.
To take this one step further, much of the security we have today is designed to protect the infrastructure. It is external to business processing and in many cases is deployed as an ad-on at the network level. ICS by contrast is systemic. ICS places security directly on the asset of value, not the infrastructure. ICS and Firewalls or IDS are not mutually exclusive, but take the opposite approach.
Anyway, it is great to get a chance to sit down with someone who has been thinking about this for many years and hammer out some ideas and where to go with this. We are going to reach a critical mass on this in short order.
Comments