Sunday, August 23, 2009

Benefits of information-centric security

For a while I have been meaning to write a short article on what I think information-centric security is - so here goes.

Organizations have focused on securing sensitive data by protecting the infrastructure that hosts the data. This could be implemented by hosting the servers inside a data center, using firewalls and similar perimeter protection techniques to prevent external attackers, encrypting whole drives or encrypting networks. I think of these as protecting data by proxy - i.e. protect the network to protect the data, protect the perimeter to protect the data, protect the device to protect the data.

Information-centric security is the concept of focusing the protection on the data itself as opposed to the device – protection that stays with the data while at rest and while in motion. Access controls and other policies are embedded in data and follow it wherever it goes - thus enforcing these policies at the data level, regardless of where the data is.

This approach has several advantages:

  • Continuous protection: Data always remains protected since it does not get decrypted as it moves - this has performance benefits as well as security benefits
  • Device independence: Data can be protected regardless of the devices it rests on or travels between. For eg, it data moves to a USB device, to a backup tape, it still remains protected. No need to deploy a USB protection solution or a backup tape solution separately.
  • Enabling secure collaboration: Since the data remains persistently protected, you can share it better - the proper access controls of who can access the data remain with the data itself! Therefore data can be self-defending. No need to provide access to networks, file shares etc to share data.
  • Lower costs and complexity: all this comes down to much lower costs and complexity - no need to have multiple device or network centric products protecting data and that too by proxy..
I think the world is moving to such a method of protecting data - the old ways are untenable in today's world of exploding data and the requirements to share and collaborate.


No comments: