Data-centric security as a business enabler
Last week was filled with large conferences in the area of cloud services including the Salesforce.com Dreamforce conference and VMware’s VMworld event. I had a chance to attend several Dreamforce sessions in person at Moscone center and talked with a number of customers who had spent time at VMworld in Las Vegas.
While Salesforce is trying to capture the attention of the ecosystem with the notion of the “social enterprise” and VMware continues to drive infrastructure efficiency, the common denominators between the two are that they take a platform orientation and present compelling business benefits in terms of increased business agility and resource effectiveness.
What’s the connection with information security? For me, it was a chance to exchange perspectives with folks in the security world who are coping with significant challenges in terms of taking advantage of cloud services, dealing with mobile access to the enterprise, and adapting to enterprise adoption of consumer devices and services all within an increasingly hostile threat environment.
What I have noticed is that some customers are changing their information security program investments, resource allocation and risk management approaches. This shift can be summarized as a transition from an infrastructure-centric to a data-centric security orientation. Compliance and privacy initiatives are part of this transition as well.
Encryption and key management play a central role in this transition. As the business requirements placed on enterprises demand continuous access to information across a broad array of devices that often are difficult to control (e.g. mobile phones and tablets), the implications from an information security program standpoint can be distilled down to an increase in the attack surface. Encryption provides an effective way to reduce this attack surface. The problem of defending mission critical enterprise assets is transformed from one that exists wherever data is stored, accessed, manipulated and transmitted to the much smaller problem of managing keys. This is a big win for the enterprise and supports business initiatives such as the social enterprise and more efficient virtualized infrastructure.
In order to move to a data-centric information security program an enterprise needs to understand what data needs to be protected and under what circumstances. Nearly all organizations are likely facing situations where critical information is dynamic and growing rapidly. As such it is important to have criteria for understanding which data requires the primary attention. This is a risk management issue. Managing risk requires an understanding of the business, the threat environment, the compliance (internal as well as government and industry mandated) requirements, and the controls available. I have noticed that a number of effective information security programs have adopted a business process point of view to assess risk. Evaluating business processes (think “quote-to-cash”, “stock-to-ship” and “request-to-resolution”) is more natural and reveals confidentiality risks (potential data breaches) as well as availability risks (system downtime) in ways that are tied directly to business metrics such as revenue, profits and liability. This business process point of view also lends itself to effective policy enforcement through mechanisms such as end-to-end encryption across the entire set of applications that support the process.
I think the major win here is that information security can play a role as a business enabler and support IT effectiveness and efficiency as enterprises move to take advantage of technology trends such as the social enterprise and virtualized infrastructure.