The Walls Are Collapsing Around Information Centricity
Since Mogull and I collaborate quite a bit on projects and share many thoughts and beliefs, I wanted to make a couple of comments on his last post on Information Centricity and remind the audience at home of a couple of really important points.
Rich’s post was short and sweet regarding the need for Information-Centric solutions with some profound yet subtle guideposts:
For information-centric security to become a reality, in the long term it needs to follow the following principles:
- Information (data) must be self describing and defending.
- Policies and controls must account for business context.
- Information must be protected as it moves from structured to
unstructured, in and out of applications, and changing business context.- Policies must work consistently through the different defensive layers and technologies we implement.
I’m not convinced this is a complete list, but I’m trying to keep to
my new philosophy of shorter and simpler. A key point that might not be
obvious is that while we have self-defending data solutions, like DRM
and label security, for success they must grow to account for business
context. That’s when static data becomes usable information.
Mike Rothman gave an interesting review of Rich’s post:
The Mogull just laid out your work for the next 10 years. You just
probably don’t know it yet. Yes, it’s all about ensuring that the
fundamental elements of your data are protected, however and wherever
they are used. Rich has broken it up into 4 thoughts. The first one
made my head explode: "Information (data) must be self-describing and
defending."Now I have to clean up the mess. Sure things like DRM are a
bad start, and have tarnished how we think about information-centric
security, but you do have to start somewhere. The reality is this is a
really long term vision of a problem where I’m not sure how you get
from Point A to Point B. We all talk about the lack of innovation in
security. And how the market just isn’t exciting anymore. What Rich
lays out here is exciting. It’s also a really really really big
problem. If you want a view of what the next big security company does,
it’s those 4 things. And believe me, if I knew how to do it, I’d be
doing it – not talking about the need to do it.
The comments I want to make are three-fold:
- Rich is re-stating and Mike’s head is exploding around the exact concepts that Information Survivability represents and the Jericho Forum trumpets in their Ten Commandments. In fact, you can read all about that in a prior posts I made on the subjects of the Jericho Forum, re-perimeterization, information survivability and information centricity. I like this post on a process I call ADAPT (Applied Data and Application Policy Tagging) a lot.
For reference, here are the Jericho Forum’s Ten Commandments. Please see #9:
- As mike alluded, DRM/ERM has received a bad rap because of how it’s implemented — which has really left a sour taste in the mouths of the consumer consciousness. As a business tool, it is the precursor of information centric policy and will become the lynchpin in how we will ultimately gain a foothold on solving the information resiliency/assurance/survivability problem.
- As to the innovation and dialog that Mike suggests is lacking in this space, I’d suggest he’s suffering from a bit of Shitake-ism (a-la mushroom-itis.) The next generation of DLP solutions that are becoming CMP (Content Monitoring and Protection — a term I coined) are evolving to deal with just this very thing. It’s happening. Now.
Further to that, I have been briefed by some very, very interesting companies that are in stealth mode who are looking to shake this space up as we speak.
So, prepare for Information Survivability, increased Information Resilience and assurance. Coming to a solution near you…
/Hoff
Personally I think #3 is the most appropriate … assume context at your peril. The uses of data, where it will move to, how it will be processed and who may get a hold of it should be considered unknowns … or at least partial unknowns. Examination of security from the data perspective is a good first step to a context neutral security model.
#2- classification is the key to this and that has been difficult to do. Automatic classification is problematic.