For many years now, the “IT” industry has been focused mainly on “securing the network”. The idea here being that the way the company secures it’s information assets is like the way it secures its physical assets… computers outside the corporate building can’t get onto the corporate network, which where all of the corporate data is stored. The problem has been however that data creeps outside the corporate building much more easily than does a physical asset. For example, all the time data goes right out the door on company laptops.

This phenomenon has led to a significant effort in many organizations to “secure the client”. The idea here is to put firewalls and other security software on individual computer systems as well so when they are outside the physical network and connected back (via VPN for example), the individual computer does not create a weak link in the overall network’s security.

There is problem however. It is impossible to secure a company’s DATA with this approach. There are just too many ways to get inside a network. For example, there are always systems that need to be available to the internet and some kind of hole to the network must be created to make that possible. Also, there are just too many ways to physically get on the network either by actually walking through the company doors and physically plugging into a network port behind the firewall or by connecting to a wireless access point that is effectively spreading the physical network outside the office walls wirelessly. Finally, there is always the threat of an unsuspecting user just emailing it out or burning a CD and giving it to someone outside the company. Like I said earlier, just too many easy ways to get at data assets that the traditional “secure network” approach can’t deal with, no matter how good a company may be at securing it network and computer operating systems.

This is why we really have changed our view on security to a different paradigm. That paradigm is securing DATA rather than the NETWORK. Network and operating system security is one layer of protection for data, but when you don’t rely solely on that, you see threats more broadly and implement things like sensitive data encryption (no matter where that data might sit), data redirection and centralization, and heavy user awareness training.

The question in my mind is where does this go in the future. Well… could it be where DRM comes in perhaps? Let me backup…

We often protect data itself by encrypting it… on laptops, on desktops, even on servers if it is really sensitive data. The problem is an individual file sitting on a hard disk may be encrypted, but when you pull it off that encrypted volume and email it out to someone who is not authorized to view it (leak the file), it is no longer encrypted and the unauthorized party can read it. However, if I email you an iTunes song that I bought, you may have the file (which you are not authorized to use since you didn’t pay for it) but you cannot play it in iTunes. What prevents you from doing this is DRM (Digital Rights Management) which is a method of encrypting the individual file so it is unplayable by an unauthorized user.

Now, I hate DRM on my music but my question is this… could this DRM (individual file encryption) be the way to truly protect corporate data? If the DRM were effective, even if an attacker found a way to get through network security and operating system security, the data they got would still be unusable. This, in theory, would be a perfect way to protect company data instead of depending on protecting the network and a very nice change in paradigm. The problem would be all the same problems that currently exist with DRM on music… first it always ends up cracked and second it annoys users. Could a brilliant system of DRM though solve these drawbacks and make it the killer app for corporate data security?

I suppose a third paradigm is available… assume privacy is dead and learn to move that much faster in business. Not sure I’m totally against that idea either.

Related Posts: