Saturday, 10 March 2007

Data Security - Part I

I am no expert on user security, I have installed a few SecurID rollouts, some very large indeed, but that does not make me a grandmaster.

I am reasonably skilled in network security. I have worked in distribution and resellers, and even administered a couple of reasonably large networks in my time, but that does not make me a ninja.

When it comes to data security though, I consider myself slightly more advanced, and I will tell you for why. I have spent many years now walking the streets, plying my wares, telling the world how they should be securing their data. I have done this for a number of data security companies and spent time with most of the big names in this area.

When I started selling nCipher cards many years ago, a company called Ingrian came along and asked if they could use our reseller as a launch pad into the UK. We jumped at the chance to have a piece of Silicon Valley in our little converted farmhouse office in surburan Hampshire.

Ingrian was all about encrypting data on its way into storage, so it encrypted on the fly, AND in storage. This was amazing to me. It all made sense, of course you should encrypt in storage, then no-one could break in and steal stuff.

Of course this only applied to people actually physically walking off with the disk though, because if you could break in logically, you could still get clear access. In fact, all Ingrian relied on was access to the application, and it would allow any data to be decrypted. This relies far too heavily on user and network security for my liking.

So, when I was approached to be an SE for Vormetric, I was delighted by their solution. It was so simple, and yet to me it seemed perfect. With Vormetric you needed to have the currect user access, and an untampered application. Plus the encryption was far quicker. The database solution was much simpler and didn't rely on encrypting inside the database, which inevitably slowed things down.
And the killer app for Vormetric? You could encrypt and control access from the administrator. This was the best move I'd ever seen. Now any administrator who previously had rights to everything could be blocked by a security administrator. Separation of duties for data, fantastic news. This stuff was going to sell like hot cakes.

Wasn't it?

No. Sadly not. You see, when you go to the CEO of a company and tell him you have an encryption device... whoa, stop there, go and talk to my Network guys... OK, when you go and talk to the Network guys and tell them you're cutting down access to the, erm, Network Admins... you get the picture.

This is the eternal problem with data security. The people you want to secure it from are the people who are in charge of it. Still, users got used to it when we asked them to have passwords, hell, the network guys even got used to it when we asked them to use SSL. What these network guys don't like it handing over control to the security guys.

A key issue for security is that the more you secure something the less available you make it. The CIA triad told us this years ago. So, the less available you make it, the more you hide its value, this we know, but what is less obvious is the more available you make it, the more you dilute its value.

Whoever controls the data can therefore play God in some small way. Data is not just knowledge, it is power inside a company, and hence worth above any financial reward.

No comments: