Saturday, 2 June 2007

Comment on comment about comments.

OK, so did I over-react to Rory bad-mouthing data-centric security? He thinks so. Maybe I did. Maybe because I know he is a CISSP and respected blogger I didn't give him as much leeway as mere mortals. However, I think my motives have also been misunderstood, read on...

He made the following points, which I will comment on in turn:

"Thanks for replying (although I almost missed your comment no trackback!). I must say I'm a bit dissapointed, in that I thought I raised some valid points in a reasonably constructive way, but seem to have annoyed you a bit."

Blogger has no trackback facility, which is becoming testing. I may well move to WordPress soon, but that has it's own difficulties. My reaction was timing more than anything, but since when was "Data-centric security... Yeuch" constructive? Let's move on.

"1. How do you mean I don't have to manage it [tagged data]? My role is at a corporate and one of the challenges I see in corporates implementing this kind of security is that without standards it'll be impossible for it to work."

I'm aware of Rory's role, and the corporate which he works for. It is very large, he must be pretty good. I am very pleased to have a fellow Brit in the network, and someone who has worked in finance. I have no desire to challenge the professionalism of either Rory or his company. Of course they need standards.

However, what I was talking about amounts to rulesets, which are essentially internal technical standards, as I thought was very well explained by Hoff in his post. The data tagging never needs to leave your network, that's the point. There's a very low management overhead once the tagging is done. The only standards need to be between your data and the device which tagged them.

By the way, this will evolve into standards when it needs to, when data-classification becomes viable on the Web. This needs to happen in steps however, the first one being some take-up of this technology before we can prove how easy it is to control the data. Once the data is proven to be controllable we can start to externalise it with less risk. This is essentially what people are referring to as Web 3.0, the Semantic Web. In fact I could argue that RDF was a standard, but I'm not getting into that now...

"2. You've not really passed on anything new to this. Again in many companies I've worked with the idea of getting users to understand and manage security rights has caused a load of problems and I think that anything else which adds to that burden is probably a non-starter."

I wasn't trying to pass on anything new, but I again I fail to see why this is relevant. You should be a politician. You were bad-mouthing Hoff's excellent post, I was postulating an opposing view.
This is the nature of debate. I don't want a debate about how to debate however, the debate itself is much more interesting. So, back to the matter in hand:

Why would the users have to even know about it? I don't get this argument. The point with data-centric security is that the security is applied as far away from the users as possible. The only thing the user has to do is authenticate properly, the rest of the decisions are made on his behalf. A network device maps users to profiles to classified data as per a ruleset. I think Chris was pretty clear on this in his post.

I'm not a big fan of network devices by the way, but what Crossbeam and other UTM devices provide is a jump-off point for security to evolve faster. Once the standards you talk about are in place, the device will no longer be such a requirement, but because it's UTM, something else will take the place of the data security. I can see a need for a UTM box for evolution purposes.

"3. Didn't think I said it too hard. Wouldn't you agree that the only DRM usage (music files) that has had widespread take-up has been, in my opinion, a disaster. Now I'm not familiar with EMC etcs DRM products and how they solve these problems, perhaps you could tell me more about that."

I understood what Rory said very clearly. He seems to have missed what I said in return. He seems to be throwing up smokescreens.

Yes, music DRM has been a failure. However, music files which I am trying to sell to the public are not the same as corporate files I am trying to keep secret, and the security surrounding them needs to be handled differently. Personally I wouldn't bother with anything other than a digital watermark or similar on MP3s and MPGs. There is a very strong economic argument that it doesn't really affect sales either way these days, for exactly the reasons you are talking about.

In a corporate environment however we aren't trying to get the public interested in our data, we are trying to keep them away from it.

But when did I say EMC did DRM stuff? EMC has a data-classification service, as do most of the big storage vendors. I will let them do their own sales though, they are big enough.

I'm talking about data-classification, it's Rory who has turned this into a DRM argument because this one (very small) area of data security supports his arguments. I will post on DRM soon which shows why I think it is largely irrelevant to logical security.

[In a moment of clarity however, I think I'm beginning to see the problem here. Let me get this straight DRM= part of data-centric security, data-classification= the basis of data-centric security, DRM does not = data-classification or data-centric security as a whole. I am NOT talking about data controlling who accesses it by itself. Neither is Hoff, neither is anyone else who is not on drugs.]

"4. Sorry I've NEVER seen those models of security used outside the military and the police. Modern corporates in my experience all use DAC style because there are no products which are considered manageable which implement those pieces."

There are commercial products available for data classification. There are commercial products available that provide frameworks for data access controls as specified by the models we talked about too. Not many, but that security is in a poor state is part of my point. It's astonishing how few people understand it, and that's what really bugs me, especially when they put it down without knowing what they are talking about. I'm trying to push it forwards, Hoff is trying to push it forwards, by educating. We are both vendors trying to push products, but the market needs to understand. It's hard enough appealing to users when they are having trouble understanding, but when other security people are, it's practically impossible.

Maybe these models aren't used outside the military, but that doesn't mean a) you haven't studied them, b) they don't work, and c) they wouldn't be manageable - quite the opposite. Rory is confusing established security models with products which are not on the shelf yet. I never implied they were, just that they are a great idea. Are you saying that you don't want military style security on your network, Rory?

"Yes I have studied security for many years thanks. Just because I don't think that one direction that people are going in for security is the best doesn't mean I'm anti-security. What I've found however is that companies are focused on having information available to make business decisions and any security measure that makes that difficult/impossible is not one which will see wide adoption."

Many years in security, we all know how frustrating that can be. You have to admit that it's pretty dull these days once you know what your options are. Corporate lapdog doing the bidding of the CEO, CFO and CIO, consultant searching for business in a world full of security consultants who are undercutting you because they're not as good, or change of direction altogether. That's why I'm a product manager at a software company, trying to make things change, because I had the opportunity, and because I can (it's where all the best people end up, right Chris?).

I certainly didn't mean to imply Rory was anti-security. I'm positive he is very good at his job. His current employer certainly wouldn't have employed him if he weren't. I have no reason to imply otherwise. What I don't like is attacks on data-centric security without careful consideration of the facts, or as it seems, not understanding it.

It shouldn't make anything more difficult business-wise, in fact it should make things easier. There are some very strong arguments for data classification. The first one being that if you identify your data, you will know if you have duplicates. This is an instant ROI of about 20-30% on current infrastructure.

Once this is done, the rest of the game is child's play. Install a device somewhere at the perimeter to control access to the data, and put some rules in it. These never have to change. Only user attributes have to change. The rest of the network can be used to transfer data, quickly and freely without the need to pass it through a hundred devices. It should speed up communication and make it more efficient, add confidentiality and integrity, and not affect availability.

It's more about alignment of users and data.

Consider this:

FACT: There is very little data security at present. It's evolving fast.
FACT: The Semantic Web will require data-centric security before it can evolve safely.
FACT: Every decent security company under the sun has been bought up by a storage company recently. What do you reckon they're doing?
FACT: I'm a vendor of data integrity products. The market is huge and completely untapped. Many people talk like Rory, but the early adopters and visionaries are loving this stuff. This is usually a sign that the market will follow. We have some very large partners and plenty of investors (although we always want more). Not bad for 15 people based in Spain.

Data is the future of security, whether you're comfortable with it or not.

No comments: