Stiennon covered the McAfee/Onigma deal over at Threat Chaos this weekend. Although I knew about the deal I try and avoid vendor/industry coverage here at Securosis, and, to be honest, it really isn’t worth covering. (Onigma is tiny and agent based, not really the direction the market is heading, and by the time McAfee integrates the tech they’ll be WAY behind the ball).

But Richard does make an interesting statement; defining data protection as leak prevention + encryption + device management. It’s a reasonable start, but far too narrow.

For the past 5 years I’ve covered data security pretty exclusively; long before it was cool and sexy. Until recently data security’s been the red-headed step-child of the security world- always hanging out on the side of the playground, but the last kid you’d pick for your kickball team. These days that little red-head is all grown up, making his way through the early draft picks and getting read to go pro (take THAT you overused security metaphors).

I like to define defensive security as four main security stacks (listed in a data/application centric order, you network guys tend to look at it differently):

  1. Host Security: a secure place to put stuff
  2. Data Security: securing the stuff
  3. Application Security: securing the things that access the stuff
  4. Network Security: securing the environment around the stuff

On the data security side I took about two years to develop a framework to pull together the disparate technologies being thrown at the problem, from database encryption, to DRM, to activity monitoring. While I can’t dig in too deep here (since all that intellectual property is controlled by my employer), I can still outline the framework since, at this point, all the information’s been used in multiple press interviews and public presentations.

The Data Security Hierarchy consists of:

Content Monitoring and Filtering (sometimes called leak prevention)
Activity Monitoring and Enforcement
Logical Controls
Encryption Enterprise DRM
Access Controls

These are just high-level general layers that sometimes encompass multiple technologies. CMF is usually a single technology, but, for example, there are about 10 different encryption technologies/markets. Overall there are about 20-30 different technologies shoved into the different layers, some with a very narrow scope (like portable device control), others with a pretty broad scope (like CMF).

Data security isn’t just a bunch of additive technologies tossed together. Just as we spent the 90’s and early 00’s devising models, frameworks, and approaches to network security, we need to do the same for data security.

Protecting data is very different from protecting networks and one of the bigger challenges in security in the coming years is to manage it strategically…

…and it ain’t just encrypt everything.