Stiennon covered the McAfee/Onigma deal over at Threat Chaos this weekend. Although I knew about the deal I try and avoid vendor/industry coverage here at Securosis, and, to be honest, it really isn’t worth covering. (Onigma is tiny and agent based, not really the direction the market is heading, and by the time McAfee integrates the tech they’ll be WAY behind the ball).
But Richard does make an interesting statement; defining data protection as leak prevention + encryption + device management. It’s a reasonable start, but far too narrow.
For the past 5 years I’ve covered data security pretty exclusively; long before it was cool and sexy. Until recently data security’s been the red-headed step-child of the security world- always hanging out on the side of the playground, but the last kid you’d pick for your kickball team. These days that little red-head is all grown up, making his way through the early draft picks and getting read to go pro (take THAT you overused security metaphors).
I like to define defensive security as four main security stacks (listed in a data/application centric order, you network guys tend to look at it differently):
- Host Security: a secure place to put stuff
- Data Security: securing the stuff
- Application Security: securing the things that access the stuff
- Network Security: securing the environment around the stuff
On the data security side I took about two years to develop a framework to pull together the disparate technologies being thrown at the problem, from database encryption, to DRM, to activity monitoring. While I can’t dig in too deep here (since all that intellectual property is controlled by my employer), I can still outline the framework since, at this point, all the information’s been used in multiple press interviews and public presentations.
The Data Security Hierarchy consists of:
| Content Monitoring and Filtering (sometimes called leak prevention) | |
| Activity Monitoring and Enforcement | |
| Logical Controls | |
| Encryption | Enterprise DRM |
| Access Controls | |
These are just high-level general layers that sometimes encompass multiple technologies. CMF is usually a single technology, but, for example, there are about 10 different encryption technologies/markets. Overall there are about 20-30 different technologies shoved into the different layers, some with a very narrow scope (like portable device control), others with a pretty broad scope (like CMF).
Data security isn’t just a bunch of additive technologies tossed together. Just as we spent the 90’s and early 00’s devising models, frameworks, and approaches to network security, we need to do the same for data security.
Protecting data is very different from protecting networks and one of the bigger challenges in security in the coming years is to manage it strategically…
…and it ain’t just encrypt everything.
Reader interactions
7 Replies to “Data Protection- it’s More than A + B + C”
decided to try and pull this all together into a framework and my first pass was the Data Security Hierarchy. While a good start at figuring out the various layers used to protect data, it really
+0 0 votes Worthwhile? So this blogger had the temerity to criticize my definition of the data protection space, which is leak prevention + encryption + device management. If you think about it that is a pretty broad definition of a space. Encryption alone accounts for 35 vendors. To give Rich credit, he truly was the first analyst to cover the data protection space. He has adopted a “definition” that is really the answer to the question: “how do I ensure that my data is safe?” That is a huge question and involves the entire realm of security products in its answer. So yes, include Digital Rights Management, and access control. You could, although Rich does not, include firewalls, biometrics, and anti-malware. But by doing so you are casting your net too widely. It is a tricky thing to define a market. It includes observing the vendors that compete and the bake-offs they participate in. Markets are self organizing. They are not defined by analysts, but, of course, analysts attempt to define markets because humans like organization and they like to categorize things. Admittedly Rich focuses on large enterprises and I focus on vendors, products, and solutions. That gives rise to the differences in our views. We are currently in the midst of a very active time for the data protection space as I have defined it. Leak prevention companies are partnering with encryption, messaging, and hardware vendors at a rate that is going to require a large map to document. The primary driver is the disclosure requirements in California 1386, which led to the cacophony of announcements of data loss we have chronicled here- but, increasingly, it is the realization on the part of the enterprise that bad guys are really targeting their critical information and they better do something to protect it. This is the early stage of a new security silo. Recognizing the drivers and the players is important to understanding the space. Keeping it simple will help to do so. I stick to my definition. ———————————————————— Traveling to Santa Fe this week to join a workshop on the future of Malware. Then it is on to Sonoma for a weekend of picking olives in the rain. I will be in the Bay Area all day Monday, November 6th. Drop me a line if you want to meet up!
I published a little on data security a few weeks ago, and Mike calls for a simpler approach. I thought about it a lot, and it gave me a great idea for a new way to position data security within the data life cycle. The bad news is I’ll be publishing it through Gartner, since that’s sort of what pays the bills. It’s also why I can’t completely expand on what little I wrote here on Securosis, that would be a conflict of interest.
Rich,
I was half-kidding. Not to be “vendor-y” on your blog, but it’s this sort of thing that we do for CISO’‘s, so it’s tough for me to give away too much. We build management models that help them understand the interrelationship between assets, controls, and data flow – and then help them understand how to build metrics to measure & model risk throughout.
I would encourage you as you flesh this out not to solely think of electronic data. Physical (paper/people) data security is just as important and sometimes falls under the CISO/CRO’s umbrella.
Transmission is a smaller part of the picture, but can be very important – especially if we consider paper.
Rich,
you are absolutely right that Network security, or denying access to the network, is not the same thing as allowing access to the data, which is information-centric security. Protecting the containers is not the same thing as protecting the contents. Too many analysts, pundits and security folk don’‘t understand the distinction, or they have not had to, until recently.
And you are also correct that encryption although important, is not enough. Data must be protected in its readable state as well.
Your framework seems reasonable based on the status quo (mostly network security), but it seems to me that proper data security management would mean access and logical controls at the data level, and thus monitoring for infractions and remediation (enforcement) and CFM would almost disappear if done properly.
Alex, great point.
I’‘ve either typically dumped that into the network stack, or at the encryption layer. I also talk a lot about it on the application security side.
But this question’s come up more than a few times. Enough it might be worth adding as a layer. I’‘d be interested in your opinion- should it be in the data security stack, and if so- which layer? (probably just above logical controls).
What, no “transmission security”?