Tom Olzak

Data-centric security needs standardized controls

In Content Filtering, Deperimeterization on April 3, 2009 at 08:41

Deperimeterization requires a data-centric approach to security.  To support this requires standardization of data and document tagging, ensuring sensitive information is protected regardless of where it ends up.  But standardization has always been an elusive goal in technology, one only rarely achieved.

I was introduced to deperimeterization as a concept a few years ago while conducting research for a paper on network access controls.  As defined by the Jericho Forum, it is based on the premise that the deployment of perimeter defenses alone is not a reasonable and appropriate approach to safeguarding information assets.  Today, there are many ways to slither through an organization’s externally facing controls.  Further, much of an organization’s information is shared with businesses and individuals who operate outside the home organization’s security perimeter.  So perimeter defenses should be only one layer in a data-centric approach to protecting information assets.

The Jericho Forum is not part of the Open Group located in Reading, U.K.  According to Oltsik, it is currently working on key management interoperability protocol (KMIP), open authentication (OATH), and extensible access control markup language (XACML).  These are all great ideas which would make the secure exchange of information between islands of organizational security less complex.  In an April 1, 2009 CNET article, Jon Oltsik wrote about security’s role in deperimeterization, but what caught my attention was a comment Oltsik wrote near the end of his article.

We also need standard tags for data classification and confidential data security policy enforcement. If an Excel spreadsheet contains Social Security numbers, the file should have a standard meta data tag that tells operating systems, e-mail, and gateway filters to take special actions like encrypting the file or preventing a user from making a copy to a USB drive. This type of standard would make enterprise rights management far more mainstream. If Microsoft and Adobe Systems teamed up, they could really accelerate a standard in this area.

Source: On the security road to ‘de-perimeterization’, Jon Oltsik, CNET, 1 April 2009

I think the idea of somehow tagging documents containing information is a great idea.  It takes protection right to the data.  However, I don’t believe we can rely on users to do this.  So that leaves content filtering.  Since there are already numerous content filtering solutions on the market, the real problem is not function.  Rather it is standardization.

If I tag a document with Product A because it contains sensitive information, all document security products operating within the networks of business with whom I share that document should recognize the flag and behave appropriately.  And tag checking can’t rely solely on applications/appliances dedicated for that purpose.  Rather, all applications which handle that document, including Microsoft Office, Open Office, etc., must be able to identify the tag and dispose of the document according to, at a minimum, a set of security standards.

I know this is a lot to ask.  And there is the question of how document rights management products, Microsoft’s IRM in Office 2007, fit into the overall solution.

So the solution is simple.  Get everyone to agree on a tagging framework and how a document is to be handled based on its identity in the framework, and integrate this process into all document filtering and rights management products.  Let’s see, this should happen about the time I get my Pulitzer prize for blogging…

  1. Hi Tom,
    I think standardized data classification is required and as you rightly pointed out difficult to achieve. Defining the classification rules and policies turns out to be one of the biggest challenges in deployment of any DLP ( Vontu, McAfee, .. ) or IRM ( RMS, Adobe, Seclore, … ) systems.

    I believe that one of the key requirement for any of these to be truly standardized is to have

    1. A centralized, universal identity management and authentication system for individuals ( this cannot be the presently deployed LDAP systems in enterprises since individuals keep moving ) which can get attached to different “groups” ( e.g. a company ) based on which he/she has certain priviledges. OpenID could be a good starting point for this.

    2. A common platform on which a rights management technology works with the identity store.

    3. A common tagging method for tagging information which can then be automatically linked to a set of rights defined for the data

    With the above done, I think data security can be truly de-parameterized and moreover reflect actual business relationships.

Comments are closed.

%d bloggers like this: