Tuesday, December 18, 2007

Data-centric security: How far do you de-perimeter your perimeter?

Ever since the Jericho Forum coined the term, we have seen some interesting jousting over “deperimeterization” (I personally need a cup of coffee before I attempt to pronounce that!). While the idea intrigues me, I see historical evidence against short-term deperimeterization for most organizations. Consider the Itanium vs. Opteron battle as a prime example. While the purist might say the battle is not over yet, the initial rounds by far were won by the hybrid 62/32 bit Opteron chip. The futuristic Itanium would have required significant changes in software to take advantage of the capabilities and is still trying to gain a footing.

Current investments ensure that the incumbent is favored - and by the same logic, a hybrid model for the next generation investment. And this means, a combination of perimeter security with further hardening of the current “soft” core.

From BitArmor’s perspective, we are looking at this discussion in the context of protecting the data itself regardless of where it resides (which could be the ultimate in deperimeterization), and not devices or end-points per se. I am having an increasing number of conversations with customers and industry experts about data-centric security. While I don’t think the tide is completely shifting away from end-point security, such as firewalls, full disk encryption or port control, more people are recognizing that device or perimeter-focused solutions are no longer fully adequate for their purposes. They must be paired with secondary (and tertiary, etc.) defenses.

But, if you lock things down to the point where people can’t do business, that obviously defeats the purpose; business rules and processes must enter into the equation as well, allowing people to collaborate, share documents…in short, to do business. And this is where data-centric security has already begun playing a more important role.

Therefore, while I think that security investments will migrate from hard perimeter defenses to more data-centric models of protection, it will not be immediate nor, by any means, complete. There will be more balance, stemming from a “defense-in-depth” philosophy. Multiple, smaller perimeters for authentication, encryption, access control etc., will continue to gain traction, even to the granularity of individual files.

I am almost tempted to say “multiperimeterization,” but one tongue twister for that space, is one too many!

No comments: