I was on a client reference today learning about someone’s DLP deployment, and it highlighted one of the biggest issues we often face when moving to an information-centric model. No, it’s not a failure of content analysis techniques, data classification, or over-hyped tools, it’s that we often don’t even know who owns what, who’s supposed to have access to what, or our own infrastructure.
I often start my data security/information-centric rants by mentioning you need to have good identity management in place, but I don’t normally spend a whole lot of time talking about the details.
The truth is, this comes up all the time when I’m talking with end users who are implementing this stuff. Oftenthey don’t have a good directory infrastructure, or one that reflects the org chart, and thus they can’t do everything they want with their DLP, DAM, or other tools. Sometimes they don’t even know where all their assets/servers are, or how to access them for scanning.
Thus the tip- if you have a good directory infrastructure that accurately reflects your organizational structure, you’ll be in much better shape for any of these projects. Many of these tools can directly integrate with AD/LDAP, allowing you to build role-based policies.
You can’t inform someone’s manager they’re sending customer lists home or running weird DB queries if you don’t know who they work for.
Reader interactions
4 Replies to “Information-Centric Security Tip: Know Your Users and Infrastructure”
Got it. It’s our usual conundrum of what’s possible today, vs. where we’‘ll be in the long term.
A new identity model you say? That’s not a bad idea! (wink!)
…
Seriously, your tips are good for today’s environment. My jibe is this is not ICS. Not arguing against Identity Management or Identity Verification, nor am I saying that ICS does not need this because it does … only saying those (AD/LDAP) embodiments are limiting as they are more about resource usage. LDAP is not really a business context (unless your ‘‘business’’ is file management), it is more of a resource gateway. Plus, access rights and group roles are external to the data. To view it another way, if I can bypass or fool AD, the data usage is wide open in today’s access control model. Without AD, do whatever you want. ICS still requires tools to perform the identity and authenticity, but identity, usage and roles are built in.
Adrian,
I’‘m not sure how we completely avoid utilizing existing identity models, short of creating a new one. AD/LDAP and such are an important component to allow us to take role, group, and user identities and tie them to our ICS model/tools.
For us to build policies, the data at some point needs to know who the user is, and what roles they have. I don’‘t think we’‘re anywhere close to embedding that logic completely into the data, unless you know of something I don’‘t.
what functions those IT assets perform, and even more so with what users have direct and indirect access to various functions within the enterprise. But that is neither here nor there.
Data that is self defending and self describing could care less about active directory and LDAP. Yes, identity is important, and I agree with your examples. However, part of the motivation for ICS is the unidirectional trust model is not sufficient, part is the reliance on infrastructure to protect content, part of the issue is access control as we know it is insufficient (both in terms of identity and use rights). AD & LDAP could be augmented to work with an ICS model, but we need to change the way we think about data security to move to this model. Thinking about access control, use rights and identity in terms of AD & LDAP is the wrong way to approach this, IMO, and embodies a conventional approach that has already been shown to be lacking.