Tuesday, 29 April 2008

The road ahead

With user security, CIA (or AAA as it becomes) is fully integrated. This is an area of security which has been around since computers were first invented, to some degree. It is the most mature of the 3 areas I have picked out in my series of posts so far. [Although please note, these are only picked out for sake of ease, in reality there are overlaps.] Network security is less integrated, although in my career I have watched as point solutions in the network have become more fully integrated. Network devices at least all talk the same language to each other now, TCP/IP as a standard form of communication has kind of settled in.

With data we are not quite so fortunate, C, I and A are not integrated, although large storage companies are trying. There are a few of these though, so they all have their own standards.

In my original piece I said that integrity was the future of data security, and indeed, it will be an important part of every piece of storage eventually, when everyone realises its importance - but that's not a great starting position. I don't think it will be a point solution that becomes part of a data security standard. Integrity will always be an option, along with encryption and compression as the whole data centric security space merges and evolves.

This will happen separately from hardware as well as being built in to it. But will the standards emerge from the hardware, or something distinct and separate from the hardware that the information resides on?

Data-centric security has to be able to move with the data. Anything that the large storage companies try to apply directly into hardware will be difficult to use at best, more likely ignored. We've already seen a big pull and push between Sun, IBM, etc. in trying to standardise key management. If they can't even agree on that, where keys are already in reasonably standard formats, what chance do they have on agreeing on compression, encryption and integrity standards? It is more likely they will pick up and use existing popular methods over time as happened in the network.

I don't want this to become too much of an advert, but I spoke recently about PKWare, because I am interested in them, and will be visiting them this week. I'm going to talk with them about their products in more detail, but they sound very close to my heart, and as close to the reality of reaching my data security nirvana that I've actually seen. What's more, it makes sense.

I've heard some very interesting things about them recently, their new SecureZIP line, and PartnerLink are both areas I identified as being massive opportunities for growth whilst at my previous job. I actually asked our engineers about designing a product almost identical to PartnerLink, but it was too much for our small team. We didn't have the resources to develop the ideas, but now I find those ideas already exist.

Ask anyone (as I did at InfoSec) whether they've heard of PKWare and they will often look blank, until you say "have you ever used PKZIP?", which of course everyone has at some point, if they've used a computer for anything other than emails. I'll be asking some more searching questions this week and reporting back in due course.

No comments: