|
 |
|
General Information
|
Add To My Personal Library |
June 27, 2008
• Vol.30 Issue 26
Page(s) 25 in print issue
|
A Data-Centric Security Model
Data Protection Is The Ideal Supplement To Traditional Infrastructure Security
|
IT security professionals must feel like they’re engaged in a perpetual game of cat and mouse with hackers, identity thieves, and even organized criminal syndicates—as fast as they deploy security countermeasures, these rogue elements discover loopholes or entirely new avenues of attack. Traditional security methods have relied upon closely guarding the perimeter of a company’s network and tightly controlling ingress and egress between private intranets and the “wild” Internet.
The continuously escalating and mutating threat environment has led many firms to layer security countermeasures one upon another; starting with firewalls, companies have added intrusion detection and prevention systems, malware filters, client-side firewalls, and encrypted network tunnels. This scenario is reminiscent of the stereotypical urban apartment dweller with three deadbolts and a chain on the front door, bars over the windows, an alarm system, and a German Shepherd growling in the foyer. Unfortunately, no matter how fortified the apartment, eventually our paranoid protagonist must leave the friendly confines of home to work or shop. Likewise, today’s networked business can create a virtual fortress around its infrastructure but still must share information with mobile employees, external business partners, and remote customers.
Instead of adding another lock to the door, our hypothetical urbanite might be better suited by hiring a bodyguard. Analogously, many businesses now realize that rather than continuing to add layers of infrastructure security, it’s more effective to protect critical data throughout its life cycle, regardless of where it resides or moves. This concept of protecting data rather than devices is known as data-centric security.
 A New Security Model
Changes in business practices are driving the security strategy. As Forrester analyst Paul Stamp notes, while companies have increased accountability for sensitive data, today's distributed, globalized, disaggregated business environment compels more open access to that very data. He says, "The challenge for the security and risk professional is to support these changes while ensuring that data is protected in the way the business demands," adding that "companies are responding to this by shifting their emphasis from traditional measures of bolted-on perimeter and infrastructure protection to deploying a more data-centric approach to security and new approaches to infrastructure architecture.”
Perhaps the first, and still the most thorough, explication of the DCSM (data-centric security model) came in a December 2006 whitepaper from a team led by Mike Bilger at IBM’s Security and Privacy Global Services unit (www.ibm.com), in which they trace an evolution in security thinking from network- to host-based defenses. They note, “If we extend this layered defense approach further, beyond host-based security to the data that is protected on those hosts, we arrive at the DCSM.” Their vision is of a holistic approach to protecting data assets by assessing the value of individual pieces of information and then defining specific controls and security measures for each.
A conceptual model developed by industry consortium The Open Group’s Jericho Forum describes the move away from exclusive reliance on infrastructure security as deperimeterization. They observe, “The huge explosion in business collaboration and commerce on the Web means that today’s traditional approaches to securing a network boundary are at best flawed and at worst ineffective.” Mark Bower, director of information protection solutions at Voltage Security (www.voltage.com), agrees, adding that the proliferation of mobile devices and portable storage have made perimeter security solutions infeasible.
While the Jericho Forum’s authors acknowledge that traditional security techniques will continue to be important, they note that data-centric approaches are critical in the new deperimeterized world. They conclude, “Ultimately, in a fully deperimeterized network, every component will be independently secure, requiring systems and data protection on multiple levels using a mixture of encryption, inherently secure communications, and data-level authentication.”
Data-Centric Security Fundamentals
End-to-end data protection begins with understanding the types, sources, and value of a company’s information assets. IBM’s experts advise that, “The first consideration of a DCSM is to determine a set of guidelines for enterprise-wide data handling based on business policies. The next consideration is to determine which security services are required to support these guidelines.” This entails classifying business data and then outlining how certain classes of information are handled and protected. According to Bower, the goal is to persistently protect data until it’s accessed, checking a user’s credentials at access time to determine their rights and privileges to the information.
Data classification and protection rely upon a robust set of traditional security services, such as authentication, authorization, access control, logging, and auditing. As Stamp points out, “Infrastructure-centric measures will always be an underpinning for data-centric security; even with a more data-centric approach to security, it’s unlikely that enterprise architects and security professionals will ever get to the stage where they can protect a piece of data once and let it remain protected in the same form throughout its life cycle.”
Implementing Data-Centric Security
While data-centric security can seem like a radical departure from traditional techniques, Stamp sees some best practices and new technologies that can smooth its integration into an overall security plan. He advises security professionals to work closely with counterparts in infrastructure and operations to formulate a strategic data protection plan that clearly articulates business benefits and minimizes complexity. He also notes the importance of tying data security into an overall risk management strategy: “When transitioning from an infrastructure-centric model to a data-centric model, you’re going to need to prioritize areas to invest in new technologies and architectural changes”—prioritization that draws upon a risk analysis to optimize ROI and justify investment expenses. He adds that technological solutions, including endpoint data encryption, identity management, secure data transport (VPNs and SSL), real-time content inspection, and network access control, also facilitate data-centric security.
Unlike the one-size-fits-all approach of a perimeter infrastructure security strategy, “The primary goal of data-centric security is to drive security controls from a business requirements perspective,” say IBM’s experts. This is achieved by separating data classification and security policy from data protection measures and then applying specific, tailored controls to different classes of data. Yet data-centric security shouldn’t be considered a replacement for traditional infrastructure-based solutions but rather an overlay providing greater control in today’s deperimeterized network. As Stamp concludes, “To enable data-centric security, organizations will redeploy existing measures like firewalls and virtual private networks, as well as implement new technologies, like virtual desktop infrastructures.” 
by Kurt Marko
Key Questions For Data Classification & Control
An organization needs to address several key questions when classifying information in preparation for a data-centric security strategy, such as:
• Where did the data originate?
• Who owns the data?
• Who controls the data?
• Who or what holds the data?
• What type of data is it?
Once information is classified, various controls can be applied to individual pieces of data; these include:
• Who or what can use the data and for what purpose?
• Can it be shared, and under what conditions?
• Where will the data be kept and for how long?
• Does it need to be safeguarded at rest, when backed up, and/or during use?
• How can the data be disclosed?
• What subset can be disclosed?
• What protection must be implemented?
• Does the data need to be distorted or watermarked?
SOURCE: “DATA-CENTRIC SECURITY: ENABLING BUSINESS OBJECTIVES TO DRIVE SECURITY,” BY MIKE BILGER, LUKE O’CONNOR, MATTHIAS SCHUNTER, MORTON SWIMMER, AND NEV ZUNIC; IBM GLOBAL SERVICES; DECEMBER 2006. |
|
|
