Since Mogull and I collaborate quite a bit on projects and share many thoughts and beliefs, I wanted to make a couple of comments on his last post on Information Centricity and remind the audience at home of a couple of really important points.
Rich's post was short and sweet regarding the need for Information-Centric solutions with some profound yet subtle guideposts:
For information-centric security to become a reality, in the long term it needs to follow the following principles:
- Information (data) must be self describing and defending.
- Policies and controls must account for business context.
- Information must be protected as it moves from structured to unstructured, in and out of applications, and changing business context.
- Policies must work consistently through the different defensive layers and technologies we implement.
I’m not convinced this is a complete list, but I’m trying to keep to my new philosophy of shorter and simpler. A key point that might not be obvious is that while we have self-defending data solutions, like DRM and label security, for success they must grow to account for business context. That’s when static data becomes usable information.
Mike Rothman gave an interesting review of Rich's post:
The Mogull just laid out your work for the next 10 years. You just probably don't know it yet. Yes, it's all about ensuring that the fundamental elements of your data are protected, however and wherever they are used. Rich has broken it up into 4 thoughts. The first one made my head explode: "Information (data) must be self-describing and defending."
Now I have to clean up the mess. Sure things like DRM are a bad start, and have tarnished how we think about information-centric security, but you do have to start somewhere. The reality is this is a really long term vision of a problem where I'm not sure how you get from Point A to Point B. We all talk about the lack of innovation in security. And how the market just isn't exciting anymore. What Rich lays out here is exciting. It's also a really really really big problem. If you want a view of what the next big security company does, it's those 4 things. And believe me, if I knew how to do it, I'd be doing it - not talking about the need to do it.
The comments I want to make are three-fold:
- Rich is re-stating and Mike's head is exploding around the exact concepts that Information Survivability represents and the Jericho Forum trumpets in their Ten Commandments. In fact, you can read all about that in a prior posts I made on the subjects of the Jericho Forum, re-perimeterization, information survivability and information centricity. I like this post on a process I call ADAPT (Applied Data and Application Policy Tagging) a lot.
For reference, here are the Jericho Forum's Ten Commandments. Please see #9:
- As mike alluded, DRM/ERM has received a bad rap because of how it's implemented -- which has really left a sour taste in the mouths of the consumer consciousness. As a business tool, it is the precursor of information centric policy and will become the lynchpin in how we will ultimately gain a foothold on solving the information resiliency/assurance/survivability problem.
- As to the innovation and dialog that Mike suggests is lacking in this space, I'd suggest he's suffering from a bit of Shitake-ism (a-la mushroom-itis.) The next generation of DLP solutions that are becoming CMP (Content Monitoring and Protection -- a term I coined) are evolving to deal with just this very thing. It's happening. Now.
Further to that, I have been briefed by some very, very interesting companies that are in stealth mode who are looking to shake this space up as we speak.
So, prepare for Information Survivability, increased Information Resilience and assurance. Coming to a solution near you...