Thursday, 17 May 2007

Data-centric security is here!

I told you this day would come! But before I do the victory dance I still have to explain a little about compliance and where I am.

I've been at Complitech today, over at ExCel in London. A small-ish event, reminds me of InfoSec about 400 years ago when it was really about ideas rather than nurses in short skirts. Not that there's anything wrong with marketing, especially not in skirts, but this feels like a return to proper security, people who actually know what they're talking about, talking about it.

Note that I say security. Compliance isn't just doing network scans and getting expensive consultants to tick a box. Compliance tells us the best ways to do things. It's there to protect customers and end-users, which essentially protects the business. Guess what? That's security.

Everyone there today understood my technology, and that's NEVER happened at a trade show before. Still I had some 'interesting' conversations however. A guy who shall remain nameless (mainly because I can't remember his name) started talking to me about what he did: "I'm in security software", he said, "so I just came here to see what all the fuss was about." O...K... said my brain. "Security isn't the same business as compliance." I made my excuses and left. It's sad that some people in "security" as they call it, don't understand what they are doing.

A guy I spoke to earlier in the week, Phil Maynard, had a different view. A man with incredible credentials in storage and the connections to prove it. He never once pretended to be in security, and yet understands it with more clarity than anyone I spoke to today. We had a meeting booked for what I think we both expected to be half an hour or so whilst we swapped notes, but an hour and a half later I was still talking to him as he gently ushered me out of his office so he could attend a meeting.

Storage companies like the ones Phil used to work for have been buying up security companies left right and centre of late. EMC now owns RSA, (which owns Network Intelligence). NetApp own Decru (who never return my emails :( ), IBM owns ISS, amongst others. So storage people like Phil find themselves in a world of security, and security people like me find ourselves in a world of storage. It is all very strange to us both, and to have someone knowledgeable who can tell you what you need to know is frankly a relief. I hope this is the beginning of a long and fruitful relationship.

Phil told me that the solution he was pushing - data classification - was sold on an ROI argument, saving companies from duplicated data, and in the process, tidying up their filesystem. This can save up to 30% in a typical company, and hence the ROI. However, this has a limited lifetime, "de-duping" as it is called in the industry has almost had its day and the big players are moving in on their turf. Phil is pragmatic and his company still small enough to be nimble and out-manoeuvre the big guys however. Hence their move towards compliance once de-duping is yesterday's news. Phil's company will build engines on their current offering to encrypt, compress, add integrity, etc. to the data.

You know what this sounds like? Proper DATA-CENTRIC SECURITY. I'm in heaven.

I am less interested in explaining to people the many equations around compliance and security. Besides, I'm busy, I have a dance to do.

No comments: