Data-centric is so yesterday!
I was talking to Dr Guy Bunker, SVP products at Clearswift, about BYOD and his content-aware gateways for web and email. So, I said, you’re effectively saying that since users will always get around traditional security, the best solution is to protect the content rather than simply attempt to restrict the user. “Essentially,” he answered, “that’s correct.”
Then, I suggested, we can place you squarely in the data-centric school of security thought?
Not really, he said. I prefer to think of us as information-centric. “Data-centric,” he said, “would indicate… well, it’s basically a blob of data, and there’s no understanding of the information that’s contained within that blob of data.”
Data is just bits and bytes. Knowledge, however, comes from understanding the information contained in those bits and bytes.
I’ll give you a simple example, he said. “If somebody sends your company an order, and in that order is a list of things they want to buy, and also information around their credit card details; well, as a lump of data it’s an order (which is good). But you might decide that some of that order will be fulfilled by third parties, so you send it out.
“But not understanding all of the information in it could then put you foul of something like PCI DSS where you are not allowed to send credit card information out to those third parties. So if you were to do traditional (data-centric) DLP then you can detect the credit card information and block the communication. That,” he said, “is taking a very data centric approach to security.”
It’s not good enough, because in blocking a very small amount of dangerous data you prevent the circulation of a larger amount of beneficial information: OK for security; not OK for business.
However, “if you go to the next level of granularity, and become information-centric, then you can start to be a bit smarter. You know that you’re not allowed to send credit card information out, but in fact all the other information is good. Why not, then, simply redact the credit card information and allow the rest?” You can only do that if you understand the information held within the data.
But he doesn’t stop there. “We’re not merely information centric, we’re information-in-context-centric. So if you’re sitting in-house behind all of your perimeter defences then your access to the information contained in the data will be at one level; but if you’re outside the perimeter sitting in a cyber cafe with an untrusted terminal on public WiFi, then the information that you should be presented with should be far more limited. It might be that you get to see the email including the credit card data when you’re in-house; but when you’re outside you get to see the email, but not the credit card. It’s all about becoming information-centric rather than just being data-centric – you need that extra level of granularity in order to maximise control of how much company information can be accessed by which users in what locations and contexts.”
That is being information-centric. Data-centric is so yesterday.