Mike Bass, Head of Customer Strategy at Ionic Security, mapped out a new, data-centric security policy.
At the 2016 Chief Information Security Officer Leadership Forum held in Chicago on June 22, Bass pointed out that security strategy policy has historically been somewhat of a blueprint exercise. “You take your security policy and see if it maps up with a company’s functionality. You apply it to wherever the data is, wherever it’s contained. But if we do that, are we protecting the data or are we protecting the container, service, application, or whatever the data sits in?” he asked. “We’re protecting what the data sits in, not the data. For the past 25 years, that’s what we’ve been doing. However, it no longer works because that sort of security policy is applicable on a smaller scale but not for a big enterprise. It doesn’t scale.”
Bass looked at the information security industry and realized that the way it did data protection, access control, and entitlements is wrong—for today. “It’s wrong because data no longer lives in individual locations that can be addressed by security solutions directed at each of those individual locations. Data is everywhere these days. It’s like Schrodinger’s Cat— I don’t know where it is until I go look at it,” he said. “How does protecting a system, an app, or a container solve the problem of securing data that’s everywhere?”
“Data is everywhere these days. It’s like Schrodinger’s Cat—I don’t know where it is until I go look at it.”
Bass asked himself how he’d solve this problem if he decided to create a strategy policy from scratch. His first realization was that the security strategy had to be data-centric rather than securing the container. “The data element has to be protected by a key that’s tied to the policy,” he explained. “The policy defines who can and can’t access that key, which means who can and can’t access that data. By focusing on the data instead of the system, there’s visibility and knowledge about content creation and consumption, no matter where the data lives or goes. However,” said Bass, “building data centricity into every application would be incredibly complicated. Data centricity has to be a service.”
“Building data centricity into every application would be incredibly complicated. Data centricity has to be a service.”
Making security data-centric means taking security standards and policies and turning them into a machine-enforceable action at a service level. This enables a smaller workload at the endpoint, which is anywhere the data is consumed or created, Bass explained. “Keys need to be set up for every single application unless a data-centric model is used, which is an ask-and-answer system. As content is created, instead of having keys for every app to do that work, the system asks questions of the service—the answers to which the system identifies as valid—and it provides the key.”
“Keys need to be set up for every single application unless a data-centric model is used, which is an ask-and-answer system.”
The essentials of this data-centric approach are:
• One key per data element
• Key access mapped directly to security policy
• Logging for all data creation and access
• Behavioral analytics
• Anomaly detection
“This boils down to removing the silos,” said Bass. “With a data-centric security model, the policy and control of the data follow the data itself—inside or outside your company, on or off the network—and everywhere the data is touched, consumed or created, you have logs, analytics, and visibility.”
Data-centric information protection as a service has to be federated, noted Bass, because no one vendor can do this.
In closing, Bass pointed out that that data centricity results in no longer needing keys, and therefore the need to manage keys becomes obsolete.
ABOUT MIKE BASS:
Mike Bass is the Head of Customer Strategy for Ionic Security. Prior to joining Ionic, he ran Security Strategy and Standards at Citi. Mike has over 25 years of experience in cryptography and security in financial services, healthcare, and the U.S. military. He has a B.S. in Information Technology, and his experience includes tenures at Entrust, PGP, Certicom, Baltimore Technologies, NetLock, Montgomery Securities, Loral Space Systems, HP, and the U.S. Air Force.