If we can't protect the data, let the data protect itself
In today’s business world we are using our own smartphones, tablets and laptops to access private, public and enterprise data. This data is stored locally, in a private LAN, in public clouds in our company’s IT infrastructure. We are sharing the data with friends and colleagues. We use applications downloaded from app stores or installed by our company’s software distribution systems.
The billion dollar questions are:
· “How can we assure in such an environment that only the right people are authorized to read classified data?”
· “How can we assure the proper handling of data between the data’s owner and the user?” and
· “How can we guarantee that data is not manipulated, unintentionally or fraudulently?”
I dare say we can’t. The data has to protect itself.
Traditionally, enterprises require employees to sign a non-disclosure agreement (NDA) and ensure proper Information protection with best practice technical measures (device encryption, endpoint related security, etc.). When data is highly classified regarding confidentiality we need to have more than that. As an example consider how an Email client on your (company) laptop would allow data to be forwarded. The forwarded data would be accessible by other email recipients, without control of the company (there are in fact only very few companies that limit email connectivity).
Current BYO (Bring Your Own) concepts try to establish borders between private and professional areas by creating separate containers, virtualized environment, etc.. Even though this looks like a good solution it prevents us from integrating our private and professional lives. Other solutions prevent critical data from being downloaded at all. It can only be viewed using simple browsers and processed by enterprise applications running on enterprise IT infrastructure, in a private cloud. While this may be a good idea, it requires ‘always on - anytime, anyplace’ capabilities, which may be available within the next years, but not now.
For us as users, we’d like to use the most appropriate device, for private life and in professional employments, being at home or in a company or moving around. Whatever device ever we are using, we want to have access to all the data we need, wherever we are. This is why BYO and cloud services are such strong trends. We need to protect the data under those circumstances.
The risk lies in the fact that once data has been downloaded onto our device, we can distribute and process it with applications that are not under control of the data owner. But users may need to download data and process it locally. Again, if we want to be independent of connectivity limitations, how do we have to protect the data regarding accidental disclosure and uncontrolled usage?
Encryption is an essential prerequisite to disclose data to authorized users. Only those users having the right decryption key can view or process the data. Controlling the key means control the data. But this is not sufficient, because once we have the data decrypted, how can we control the usage?
If we cannot protect the data, why not let the data protect itself? This means that the data carries it’s centrally defined policy with it as metadata. The data can only be decrypted by applications that ensure compliance with that policy and only if the policy is fulfilled.
Policies, that generally ensure compliance regarding company and legal security requirements, may do all of the following:
· Check user’s identity
· Verify if the current processing environment is regarded as safe, e.g. connected to a company’s IT network only
· Allow or disallow functions like printing, local storage, etc.
· Take the user’s context into account, for instance where he is currently located, travelling, at home or abroad.
· Determine the period of time a data item is valid. And so on.
This is what we call data centric security which must be built on a trusted policy enforcing application. The owner of the data must be sure that the application follows the policy under all circumstances. One way to establish trust is to have the software provided by the data owner, downloaded from a company app store for example. Another way is using certified software of a trusted software vendor.
In addition, the software must be able to detect, if it is manipulated. Viruses could pretend to be a trusted application, but in fact violate the data centric security policy. A solution to this requirement is to compare hash codes of critical parts of the loaded code.
Attaching a security policy to the data itself gives us a much better and much more direct control over what can be done with the data than any other perimeter kind of security concept that tries to erect walls around something we’d like to protect. It allows specifying data security rules in a borderless environment, regardless if the data can be shared between private and professional use, it is stored locally, in a cloud or on enterprise servers, and on any device we are using.
Therefore, the future vision to share and distribute data as the data incorporates its own protection allows users convenient and secure access. This will also satisfy the demands of Security Officers. This approach will also allow CFOs to take full advantage of cloud economies without boundaries.
Let’s make it happen.