Sunday, 25 March 2007

Inaccurate data...

I haven't had any negative feedback so far on my data security postings from last week, but talking to people who've read my posts and tried to understand where I'm coming from, it's clear that I've oversimplified something which needs a lot more explanation.
I normally generalise to make points, but this time I need to go back and fill in some gaps.

Firstly, I talk about transaction security, from user through the network to the data. This ignores a large part of physical and logical security, the security of the host itself. I stayed away from content and activity monitoring because where I have traditionally worked with data, these I tend to view as perimeter controls.

I also perhaps don't mention DRM when I should. That's simply because I don't anyone who's got a reliable solution yet, although I've been told that such things do exist.

Really, it's because there is enough of an overlap for me to consider these things part of the huge number of network devices that are in existence now. There are fabulous solutions like Vontu for controlling all of this.

Encryption is covered by a panacea of products, you can protect inside your database, outside your database, at the file level, on the wire, in transit and at rest. I've worked for Vormetric, (which, by the way is still the best file level encryption I've ever seen), I've worked with Ingrian for a number of years, I know the guys at Protegrity too. Then there's Decru, who I wish I'd worked with (certainly when they were bought by NetApp in 2005), and NeoScale who I know only by reputation (and their systems guy who joined Vormetric just before I left). These are just the good solutions, there are tens of others which don't make my list of top guys.

And yet still no-one does data integrity properly. Encryption and restriction doesn't provide it, WORM devices don't provide it except in storage, digital certificates provide a partial solution, etc. And this is why I focused here. Sorry for any misunderstanding. I'm not an analyst (yet), if you want that, read Rich Mogull on Securosis, I've followed his work my entire career and what he doesn't know in this space isn't worth knowing.

Me, I just see holes I want fill, and that's what I write about.

No comments: