Andrew Jaquith

My colleague Alex Cullen recently released a report for Enterprise Architects called “The Top 15 Technology Trends EA Should Watch,” which describes some of the key technologies that will have the greatest impact over the next three years through 2012.

A key security trend, one which I was interviewed for, described how security will increasingly move from being perimeter- and container-centric towards being data-centric. In other words, while perimeter security, network access controls, and other security measures will continue to be important, the decreasing importance of physical locale and networks will inevitably mean that the data must increasingly protect itself.

Now, this prediction isn’t exactly new — some noted security professionals have been making the case for data- and information-centric security for a while. And in 2000, while at @stake Dan Geer and I were retained by a Very Large Investment Bank to explore this very question. Some of the things we predicted — more use of client-side cryptography, network admission control, bandwidth throttling based on device “trust” and user authentication assurance, and enterprise digital rights management (eDRM) — have made their way into the mainstream. (Not all have, to be sure.) Many, many others, in the field have made similar predictions. 

Three things have changed since the early 2000s that have moved data-centric technologies to the forefront. First, as an industry we have lost our “better living through cryptography” religion. Enterprises don’t believe in cancer-curing, globe-spanning PKI schemes using enterprise certificates whose trustworthiness are absolute, and whose pedigrees come from God (or Stratton Sclavos, if you prefer). Instead, PKI has yielded to “pki” — smaller, point purpose uses of crypto that are integral to solving specific problems, such encrypting laptop hard drives or protecting offsite backup tapes. Cryptography continues to underpin some of the most important security technologies around, but it is now rightly seen as a means, not an end.

Second, enterprises have new tools to help them automate classification and filtering tasks. Data leak prevention (DLP) is a good example. Enterprises don’t have time to burn static security labels into their documents. But if a smartish system can make reasonably decent decisions about information flowing through and exiting company networks, devices, or operating environments, security controls can be applied when needed, rather than when the IT admin gets around to it. The ability to dynamically assign security classifications to information as it is created is better than the alternative. 

Third, and perhaps most important — data security is less and less a “security thing.” The objectives of data security have been winding their way up the stack from network zones and server access control lists to Layer 7 and beyond. Product categories that have historically been siloed, such as DLP, eDiscovery, and enterprise search are starting to merge. Stakeholders other than IT Security increasingly have a say in how data security policies for DLP are created, for example. And the most successful eDRM projects are usually led by business divisions who have their own priorities to protect: inside counsel, the M&A due diligence team, or the research division. As Alex notes in his report, “with content security controls in place, businesses can share data more freely while keeping it secure.” Sponsorship and operation of data-centric security tools are key success factors.

Data-centric security: finally, we are beginning to put the “information” back into Information Security. I'd urge you to read Alex’s excellent report. Data-centric security is just one of the big technologies he touches on. If you found this post riveting, read his report for 15 times more rivets!
[posted by Andrew Jaquith]