I'm a firm believer in providence, things come to you as you need them, not as you want them. And today as I have been gearing up to finish my recent triptych on data-centric security, an email landed in my inbox about a cool little startup back in Blighty.
They are looking at something very exciting, data classification. Oh dear, I don't hear the rave whistles and cheers. OK, maybe it's only exciting to me, but the last time I was this excited about a technology I rented out my house, pleaded with my wife and moved to Barcelona.
I'm not going to name names here, because that isn't the point, there are actually plenty of companies doing data-classification already, and finding them is a Google away. The point is that data-classification is something very necessary for security to move forwards, and people are doing it better all the time.
The military have recognised the importance data-centric security for many years, with their use of the Biba model for integrity (read up/write down) and Bell-LaPadula model for confidentiality (read down/write up). [Note for security buffs, they also use Clark-Wilson for integrity which hinges on well-formed transactions - constrained data transformations leading from one consistent system state to another. This also requires application classification, but then what is an application if it's not just a bunch of data?].
Without proper data classification you cannot enforce any of these models, we need to be aware of the classification level of the user and the data to enforce read and write permissions. This doesn't tend to happen in organisations because ordinary users and administrators aren't as disciplined in their use of the network as military ones, plus there is a higher turnover. Corporate accounts are therefore managed with the same level of security as George from accounts' holiday pictures and MP3s.
So, once we have all the data classified, our users properly defined on the network, and the network working for us to match the two together (as per previous posts), our security should be much simplified. The users can have multi-factor authentication with IAM to address their self-administrative needs, the network can lose all of its unnecessary devices and we can just let it apply access to data if it is allowed by policy. I know of at least one framework (actually I can think of 3 off the top of my head, and there must be more) that will apply this security at the OS level or lower. The data will look after itself, and the network can be used for what it was intended for, carrying data.
This is still only the beginning, but it's happening at last. I've waited for it for years, but now I can see it coming. When it starts it will avalanche as people begin to realise the savings they can make and the all round improvements they can apply to their infrastructures. If you want to slim down your network, speed up communications and still have weapons grade security, come to the data side.