I delivered the Information Centric Security Lifecycle presentation at Tech Target ISD. In it I went over all of the phases of the lifecycle, from creation to destruction, and discussed all of the tools and methods one might employ, along with a couple of different models for Information Centric Security. At the end I was asked a question from the audience about "Where Do I Start? If I wanted to begin this at my company today, where would I start?"
It is a surprisingly simple question, but one that I am not accustomed to answering, and I think that I did a poor job in addressing. I basically pointed the guy back to the lifecycle and said "If it's new data, go through this process. If it is existing data, go through this process". Technically sound, but not very helpful. If you are working at a large firm with hundreds of legacy systems and data strewn all over the place, the challenges are far greater than that. It's not just a question of picking a model and adopting it, but what data, what tools, what policies, what security model, and how do all of these choices affect every single thing I do in IT, adversely or otherwise.
I have talked about different ICS models in previous ICS Posts. One of the Information Centric Security Models that I am a big fan of, the virtualized application space, limit's the scope of use for data to that application space, and implements it's security and privacy policies based upon the assumptions of a small domain of users and functions. The down side of the model is that this does not take into account other applications, and does not readily adapt to generic data at the end points. It's more focused than that, and while it can provide a very granular data security model, as well as mediate end user and corporate data security policies, it is lacking in flexibility. The digital rights management systems that I have seen that mimic this model do not account for the data sprawl problem and do not assist the IT professional in getting a handle on existing data.
I realize that in the adoption of Information Centric Security, the Data Loss Prevention (DLP) vendors that are moving into this space have done something very pragmatic, and very right, in that they are somewhat agnostic in their securing of information. The idea is to analyze and protect everything that they can view, from the network to the end point. The proceed from the premise that both they are not aware of all of the information that is on the network, and that users will try to bypass the controls. To address they set up the application at logical choke points (users machine, network), constantly scan, analyze and enforce. This is why I tend to call DLP a data centric security model as opposed to ICS, and I tend to criticize it's general efficiency. Still, there is a tremendous practicality in the approach, for it automates much of the discovery, analysis, protection and policy enforcement on an existing body of data as it moves around an enterprise. It provides the means to move from a network or host based security philosophy to a information centric one. I assume that the vendors will migrate into being application context aware in the future, but for now, what they offer may be enough for most enterprises.
I did not get up on stage and pitch DLP, but I must say that the tools and approach of DLP does offer an advantage when considering how to move to a data centric security model. If you are wondering where to start, the content discovery, analysis and generic policy enforcement tools within many of the DLP suites offer some advantages.
-Adrian
I suppose there is room for optimism for a broader definition of ICS beyond what DLP products currently provide, but I think the fact is that these pragmatic solutions on offer are, AFAIK, the only realistic route towards Information Centric Risk Management.
Symantec has multiple large-scale DLP customers who have achieved large-scale measurable reduction in risk of confidential data exposure using Information Centric principles. Not only are these techniques effective, but they directly challenge a lot of the orthodox security thinking currently on offer.
A central example of the kind of myths in security that DLP clearly shows as wrong: textbook classification procedure. Instead of attempting to tag and classify every last shred of data (a virtually impossible task), Symantec DLP customers use Information-Centric principles to identify the highest risk exposure of the most sensitive data, a task easily done with DLP. Instead of futile attempts to tag everything, you cut right to the chase and eliminate your top-ranked exposure risks.
So, yes these DLP approaches are pragmatic in that they produce serious meaningful consequences *today*; however they are in no real sense a compromise on the overall vision of Information Centric Security. DLP is leading the way on this charge and in so doing it challenges much of the orthodox thinking that currently holds ICS back.
Kevin
Posted by: Kevin Rowney | November 19, 2008 at 01:16 PM
Kevin,
Thanks for the comments. I will say, if I was designing a consumer banking application from scratch, I would bake ICS in from the beginning, and DLP based applications would never be privy to the information I was moving to and fro. By design. But that just does not seem to be the reality of things, and the holistic way that applications evolve and leverage multiple internal systems and data repositories means that a more generic approach is needed to get adequate coverage.
When you say textbook classification procedure, do you mean by DLP taking the passive approach as data gets moved/used as opposed to active discovery of all assets and resources? Are you including the policy angle on this comments as well?
Glad to hear that you guys have been able to show measurable risk reduction ... any chance you want to share some of that data? And when is Symantec going to release more a more detailed information centric strategy ... it has been six months since Thompsons keynote and I have not seen anything public.
-Adrian
Posted by: Adrian Lane | November 20, 2008 at 08:13 AM