I quite often have a déjà vu moment when looking at some new technology or security concern. It sure feels like IT and information security are a cycle – or perhaps a wave – and I think that by applying some creativity we could come up with an IT and information security zodiac. Linking things with astrology actually feels quite fitting for this time of year, given the plethora of Nostradamus-like risk management prophecies that inevitably pop up. It takes no crystal ball or star charts, however, to notice the loss of control associated with the ongoing information explosion and externalization of IT, and I’m left to wonder if 2010 - the year of the Tiger in the Chinese zodiac - will (finally) be "the year of the data" … and whether data-centric security, which we have been discussing for some years now, will have to become a real necessity.
We thought to have gotten a handle on information protection in the Internet age: encryption at the repository and media level alleviates a lot of the exposure associated with sensitive information on systems and mobile devices. Except for that pesky creation and use of information in the business, but for that there’s data loss prevention (DLP) protecting, with varying degrees of effort and success, the potential ingress and egress points of the information perimeter. It works – sometimes effectively, sometimes not so much – in the current enterprise IT model, and although not particularly cheap is much less of an effort than refactoring applications, data, and business processes.
But, if we believe the predictions, change in IT may well accelerate in 2010 through increased adoption of cloud computing – a change that would swiftly erode many a traditional information perimeter. In a CSO Online article, Cyberczar-to-be Howard Schmidt predicts cloud computing to be a security enabler, and states that “[t]he overall net effect will give us a better chance to develop more security in the cloud using […] robust encryption.” Using cryptography of course makes sense – crypto is at one point or another required in many technical controls - but is the application of this traditional control in the cloud really that simple?
The answer, unfortunately, is no. Using encrypted information – for all practical purposes – requires having the key, and having to have the key at the point of processing (i.e, the cloud) is not exactly secure. Complicating the matter is the current lack of hardware-assisted cryptography potential in the cloud and virtualization (unless you want to sacrifice mobility and elasticity), and the result is a chicken-and-egg situation for protecting cryptographic key material. Sure it’s possible to have a cloud provider encrypt storage and networking for you, but how much of the threat landscape does that really address? The situation will eventually improve, but for now we’re facing some crypto-hurdles.
But then what do we do if we can’t encrypt data, or prevent it from floating around in the now externalized business process automation? Well, if it is absolutely required to be there, then we’ll just have to consider whether externalization is a good choice – it sometimes is, and sometime isn’t. But upon further examination it may be surprising how often sensitive data is in fact not needed, and this is where we can make some headway with business process and data management, and maybe also with some newer technical controls. With security teams focusing on the latter, we should probably consider data masking (de-identification) techniques, including run-time data aliasing (format-preserving encryption and tokenization, which I’ll cover in upcoming research) technologies, to complement data discovery and DLP.
Are these controls a panacea? No. Are they a necessary alternative to ‘regular’ encryption? Probably. No matter how we slice it, with an eroded or non-existent information perimeter, protecting information in a real data-centric manner is no longer optional. With new IT complicating encryption and DLP controls, and with the near inevitable expansion of information protection regulation, I think 2010 should finally be the year when enterprises get real serious about managing their large amounts of data. Sure it may be quite the undertaking (and of course more than just a security effort) but it may prove easier than it used to be, and should surely be very rewarding in the long term.