Thursday, May 24

Information Centric Security

I received an email today asking for clarification on the concept of information centric security. I don't know if he'd want me to use his name, so I'll call him Dan. Dan watched Art Coviello and Bill Gates speak about information centric security but felt like he wasn't getting the whole picture. The main point of confusion seemed to be that Dan is technically-minded and wasn't able to see a clear path from nice story to technology solution. I'll see if I can help.

The move from perimeter security to information centric security is really a paradigm shift. It's a new way of thinking about securing enterprise information. It's not a specific technology or even a specific set of technologies. Five years ago, securing an enterprise meant standing up hardened firewalls and protecting against incoming email attacks. But, we've seen that this type of security is insufficient. 70% of electronic attacks originate inside the firewall. 90% of attacks are perpetrated by technical employees with privileged access. So, how do you protect against that? Well, you apply security to the information itself rather than only building walls around the network.

Now, to get to Dan's question. How is that security implemented? As I mentioned, there isn't any one particular technology set that provides a silver bullet for this problem. Solving the information centric security challenge requires a long hard look at what information needs to protected, where it lives, who should have access, what is the perceived and actual risk associated with loss of that information and what are the policies or regulations associated to that information. That's the first step and it's as important as any technology portion of the solution. One you know what your information security requirements are, there are a number of technologies that can be combined to provide a secure information infrastructure. These include authentication & authorization solutions, a secure hardware & storage platform, data encryption & key management and audit & reporting solutions. So, to give a few examples, information centric security solutions could include the following:

  • Required strong authentication to servers that store information (even for local access in the data center)
  • Encryption for sensitive information as it's written to a database or file system
  • Encryption of information as it's written to tape for off-site storage
  • Rotation and secure management of encryption keys
  • Protection of individual files via DRM so that sensitive information can not be shared via email or USB key
  • Real-time alerting when policy is averted
  • Easy to use reporting on the information life cycle

Part of Dan's question was specifically about RSA and EMC. Hopefully, it makes sense how RSA/EMC can provide customers with a secure information infrastructure. EMC has core strengths and industry leadership in each of the sample solutions. The actual technologies include RSA SecurID, RSA Key Manager, RSA enVision, EMC Documentum with IRM and EMC's SAN solutions. And there are a wealth of others. Some requirements are better met by partners - like whole disk encryption for laptops. And some may have yet to be developed or marketed or just widely adopted. Dan specifically mentioned a Mandatory Access Control -based file system. Interesting concept, but not one I'm too familiar with.

Hope this helps.

No comments: