Data Centric Security… Yeuch

Jun 1st, 2007

Comments: 3
Category: General Security

Data Centric Security… Yeuch

Rational Security: For Data to Survive, It Must ADAPT…
EDIT: I’ve had a couple of comments on this posting that I was bad mouthing Hoff with this post. Not my intention and I apologise if it came across like that. I actually agree with most of what he says, just not the bit about data centric security/information classification
All this data-centric security stuff sounds really good in principle, but to be honest I’m not buying it, for a couple of reasons.
One: there’s no widely agreed on DRM open standard that companies are applying now. For data-centric security to work all systems which process the data have to be able to understand the security meta-data that’s applied to it and be able (if permitted) to process it. To be honest I just don’t see that happening even in the medium-long term. And without that the idea won’t fly. Imagine telling a senior exec that he can’t get his board report on his handheld device ’cause it doesn’t support [standard X] yet so can’t read the DRM-encrypted file.
Two: More importantly the idea of assigning security levels to individual data items or collections of data items seems really un-manageable to me. Take Office/E-mail security at the moment. Ultimately for most corporations the majority of their data will at some time reside in a (MS) Office and/or email format at some time. Now at the moment most companies manage access to that in an incredibly coarse-grained fashion with whole data shared getting assigned to large groups of users and even that is seen as not being flexible enough by a lot of end users…
Three: Data-centric security has been trialled recently in a large multi-company multi-system environment that everyone’s heard of and it’s been a complete disaster, which is DRM on music files. Users absolutely hate it and have spent large amount of effort bypassing it, it’s created a monopoly because of the lack of industry standards and even the record companies seem to be backing off from it…


  1. Christofer Hoff June 2, 2007 at 1:17 am

    You’ve taken the concept I wrote about to one extreme — one that I wasn’t really talking about.
    You’re focused on the polarizing issue of DRM and all the fracas that goes along with it.
    I’m talking about taking the first step of making security enforcement decisions at the network level on content in context at line speed.
    The technology I am referring to isn’t DRM, it’s data classification and policy enforcement for how network flows are allowed to move around, in and out of a network and is not format, application, OS or language specific.

  2. Rory June 2, 2007 at 9:52 am

    True true, to be honest my post is more a reaction to the flow of data-centric security posts that I’ve been seeing for a while than anything else.
    That said your post mentioned the Jericho forum principles and also IP leakage/extrusion and those are concepts that seem to be getting traction.
    All these things rely on either the data have encryption and descriptive metadata (DRM) or solutions examining the data content and attempting to classify it as it goes by (kinda sounds like IDS without any easy to create signatures) and I think they’re all a bad idea(tm)
    I’ve tried to clarify what my points are here

  3. Christofer Hoff June 3, 2007 at 6:10 am

    I didn’t take it that way, man! No worries.
    Healthy discourse, that’s all.
    No worries. The dialog continues.

Add a comment

Your email address will not be shared or published. Required fields are marked *