Tuesday, 8 May 2007

Theory of everything

My opinion changes as often as my pants, possibly more so. As a result I am no closer to the holy grail of complete and simple security than I am to consistently clean underwear.

I posted yesterday on IAM, and my opinion rests where it lay then. IAM seems to be more about easing administration of users, or rather handing them back the control they use when entering a network. This is a good thing, and should be encouraged, but it doesn't help me in my quest for data-centric security as much as I'd hoped. I think IAM is trying to do too much. I'm not sure it has a place in access control. Access control should be addressed where the users meet the data, but is there a place for this in IAM? Maybe, but only if there is a link to the data as well. Otherwise the layers should be kept separate and open for communication.

But for now I move on to network security. Network security is such a minefield. There are so many devices, so many business problems that need fixing, and as many solutions as there are issues. Not every device on a network is necessary in my opinion. In fact I will go further and say that none of the devices on a network are necessary if proper data access controls are applied. These obviously have to be rigorous if this model is to work, and that's why we've got so many devices.

Think about any device on your network, a firewall, proxy, load balancer, database encryptor, HSM, etc. and ask yourself why it's there, no really, WHY is it there? Firewalls, to stop people accessing your network. Yes, but WHY? Because there's sensitive data there. Proxies, to control connections out to the internet. Yes, but WHY? To stop things being brought back in which might corrupt the data (or the users I suppose!). Encryption? To protect the data. HSMs, to protect the keys (which are data in themselves) which... protect the data.

It strikes me that all the network needs is a good access control framework. Maybe this is why NAC is so popular at present. However, I'm not so sure NAC is doing what we require of it, or rather it is trying to do too much. NAC does not need to control users, merely know them. NAC does not need to touch data, merely give a yes or no answer.

Data centric security is not just thinking about the data. It is about addressing security in the right place. User security needs to be addressed by the users as far as possible. Access controls should be addressed at the point where the users meet the data, i.e. the network, but in a meaningful way. Data security needs to be address as close to the data as is possible, i.e. at the data itself.

Stick with me here. I'll continue tomorrow.

No comments: