Login  |  Register  |  Contact

Principles of Information-Centric Security

In my last post on the DLP side of information-centric security, Adrian rightfully dropped a comment criticizing my narrow view. Since this is something he's been talking about himself, I feel I owe a little clarification. I only meant that post to reflect how a portion of information-centric security technology will evolve; the truth is it's much broader than that.

For information-centric security to become a reality, in the long term it needs to follow the following principles:

  1. Information (data) must be self describing and defending.
  2. Policies and controls must account for business context.
  3. Information must be protected as it moves from structured to unstructured, in and out of applications, and changing business context.
  4. Policies must work consistently through the different defensive layers and technologies we implement.

I'm not convinced this is a complete list, but I'm trying to keep to my new philosophy of shorter and simpler. A key point that might not be obvious is that while we have self-defending data solutions, like DRM and label security, for success they must grow to account for business context. That's when static data becomes usable information.

Technorati Tags:

—Rich

Posted at Wednesday 5th March 2008 8:04 am Filed under: non-geek

Previous entry: Network Security Podcast, Episode 96 | | Next entry: Speaking At Source In Boston Next Week

Comments:

By Manu  on  03/06  at  06:21 PM

Nice list. I would add persistence to the above (maybe you have it covered under self describing) - if one has to get to an ideal data-centric view, policies and protection should persist with the data. In the current world this could become difficult - for eg. how does one define such data as it moves from unstructured to structured formats? Is it based just on content? In that case DLP becomes more integral to a data-centric model. If we can address it contextually, then we can deal with data elements such as files, folders and using persistent policies that remain with the data, provide a good initial whack at the problem…

By Adrian Lane  on  03/10  at  01:22 AM

Simple.  Concise.  You can always add more, but you capture most of the essence in the first two points.  I like it.

By Yuval Eldar  on  03/10  at  01:05 PM

The list here is very exact and give the key principles of what should be a genuine data-centric solution. I would just pinpoint the fourth statement to include not only the security frame of reference but also the broader IT environment. In addition to Manu’s comment, I would suggest not to add persistency (when it involves protection) to the list because principles should not dictate an implementation method but only as high level guidelines. And as you know, Rich, there are other implementation methods of data-centric security solutions that don’t necessary support persistent protection as it is known today as a sticky protection…

By ds  on  03/11  at  08:31 PM

PLEASE drop the -centric.  Honestly, this line of thinking is evolutionary, not revolutionary.  We as an industry have been trying to protect information for 40+ years… we are "Information Security" professionals after all.

Sure, there is a need to protect availability (DoS, theft of service, etc) but that is just part of the equation.  The very earliest research into security dealt with MLS, data labeling, etc.  Anyone with formal education in the field has studied the early models (e.g., Bell-LaPadula, Clark-Wilson) and knows they are focused on preserving either confidentiality or integrity.  Let’s not confuse things by creating novelity where there is none, and focus on the advancement of thought along existing and established lines.  This will make it easier to spot a really new idea, instead of just a new approach. 

One man’s thoughts…

By Quick Note From SOURCE: Information Governance | s  on  03/12  at  03:35 AM

[...] with my last short post, here are a few points on principles for information [...]

By rmogull  on  03/12  at  03:53 AM

@ds

Wish I could- but then everyone would think I’‘m talking about firewalls. The term information security has lost it’s meaning, and I expect that someday I won’‘t need to use the centric anymore. Those models also don’‘t reflect the new advances in how we’‘re looking at information which is more dynamic in different context than role and label based models represent.

By Luke OConnor  on  03/12  at  06:11 PM

I co-wrote a paper (10 pages) on what we called the data centric security paradigm while at IBM. It expands on some of the issues being discussed here. You can find the paper on by blog here

http://lukenotricks.blogspot.com/2007/09/data-centric-security-model.html

regards Luke

By Data Classification Is Dead | securosis.com  on  04/22  at  11:38 PM

[...] wonk criticized the idea that data can be self-describing in any meaningful way, part of my principles of information centric security. While he caught the first point, he missed my meaning in the second point (policies and controls [...]

Page 1 of 1 pages

Name:

Email:

Location:

Remember my personal information

Notify me of follow-up comments?

Submit the word you see below: