Wednesday, 9 May 2007

Network security is dead, long live network security!

I'm a firm believer in providence, things come to you as you need them, not as you want them. And today as I have been gearing up to finish my recent triptych on data-centric security, an email landed in my inbox about a cool little startup back in Blighty.

They are looking at something very exciting, data classification. Oh dear, I don't hear the rave whistles and cheers. OK, maybe it's only exciting to me, but the last time I was this excited about a technology I rented out my house, pleaded with my wife and moved to Barcelona.
I'm not going to name names here, because that isn't the point, there are actually plenty of companies doing data-classification already, and finding them is a Google away. The point is that data-classification is something very necessary for security to move forwards, and people are doing it better all the time.

The military have recognised the importance data-centric security for many years, with their use of the Biba model for integrity (read up/write down) and Bell-LaPadula model for confidentiality (read down/write up). [Note for security buffs, they also use Clark-Wilson for integrity which hinges on well-formed transactions - constrained data transformations leading from one consistent system state to another. This also requires application classification, but then what is an application if it's not just a bunch of data?].

Without proper data classification you cannot enforce any of these models, we need to be aware of the classification level of the user and the data to enforce read and write permissions. This doesn't tend to happen in organisations because ordinary users and administrators aren't as disciplined in their use of the network as military ones, plus there is a higher turnover. Corporate accounts are therefore managed with the same level of security as George from accounts' holiday pictures and MP3s.

So, once we have all the data classified, our users properly defined on the network, and the network working for us to match the two together (as per previous posts), our security should be much simplified. The users can have multi-factor authentication with IAM to address their self-administrative needs, the network can lose all of its unnecessary devices and we can just let it apply access to data if it is allowed by policy. I know of at least one framework (actually I can think of 3 off the top of my head, and there must be more) that will apply this security at the OS level or lower. The data will look after itself, and the network can be used for what it was intended for, carrying data.

This is still only the beginning, but it's happening at last. I've waited for it for years, but now I can see it coming. When it starts it will avalanche as people begin to realise the savings they can make and the all round improvements they can apply to their infrastructures. If you want to slim down your network, speed up communications and still have weapons grade security, come to the data side.


Andrew Mason said...

"Oh dear, I don't hear the rave whistles and cheers."

Well you do from here!!

I have long considered Data Classification as one of the fundamental starting points for InfoSec. At the end of last year I went on a BSI / ISEB Risk Management course and Data Classification was included in that which I found refreshing.

If you think about it, until you classify your data you have no idea what to protect, how to protect it and for how long. A good way of understanding what classification to place on a particular element of data would be to risk assess it. Hence the inclusion in the course.

As to Data Centric protection, I like the idea but in my environment I am struggling to get people to accept responsibility for drawing breath let alone take ownership of the security of data. Therefore, setting up a data classification model and then implementing it into the live environment is going to be a challenge.

Both PCI DSS and ISO17799 include, even if only implied in some areas, requirements to classify data so this is a topic that deserves further thought.

It's on my "To Do" list but then so are soooooo many other things.

Unknown said...

I don´t mind you being soooo excited about this new technology as long as you stay happy in Barcelona :-)

Rob said...

Ah, but I'm more excited about our technology. If we can just get the air conditioning fixed, Barcelona will be fine! :)

Anonymous said...

Hi Rob,

Post some more on those different frameworks and this idea that protecting the data negates network security. Cool idea. Keep in mind I'm a total noob when it comes to this. Send me some links via email or delicious if you feel inclined. And exactly how do you mean to protect the data? Along the lines of what Utimaco does?