Quite possibly the biggest advantage of this approach, however, is that it allows business users — not the IT department — to truly own information, the rights associated with it, and its flow across the organization. Business can take responsibility for the security of data, since they feel they own the data itself. IT’s primary role will be to focus on computing devices, servers, networks, etc. Ultimately, information-centric data security can bring about better partnerships between business and IT since the lines of responsibility for security can be clearly drawn. Dr. Pradeep Khosla, founder of Carnegie Mellon CyLab on an Information-Centric Approach to Data Protection (ISA Comments to Hathaway on Improving Information Security Architecture)
In Paper for White House's Melissa Hathaway, Pradeep Khosla Urges an Information-Centric Approach to Cyber Security
At a recent hearing of the U.S. House of Representatives subcommittee on Communications, Technology and the Internet, Larry Clinton of the Internet Security Alliance testified on cyber security challenging that confront us. You can read the transcript of his testimony, and view the C-SPAN recording of it, on the ISA's site.
Among his supporting documents, Clinton offered several policy papers submitted "as part of the process for Melissa Hathaway’s 60-day review. "Board members of the Internet Security Alliance provided policy papers addressing some of the more difficult issues for the nation," Clinton said.
One of these policy papers was authored by CyLab's founder, Pradeep Khosla.
Here is a brief excerpt with a link to the full text:
Benefits of information-centric security
There are significant advantages to the information-centric security approach.
Protect data wherever it goes. The main benefit of an information-centric approach is the ability to protect the critical asset at all times, without interruption. Unlike perimeter defenses, it protects data from both insider and outsider threats and has the added benefits of device independence, network independence, and the ability to protect data in virtual environments. The data becomes smarter and self-defending, and is therefore much easier to share and collaborate with.
Align with business flows. Since policies for data use are always with their respective data, that data can be shared and collaborated on with more confidence. Legitimate users are not restricted to certain devices or networks since the appropriate security and access policies will ensure and enforce user rights regardless of where the data is. Quite possibly the biggest advantage of this approach, however, is that it allows business users — not the IT department — to truly own information, the rights associated with it, and its flow across the organization. Business can take responsibility for the security of data, since they feel they own the data itself. IT’s primary role will be to focus on computing devices, servers, networks, etc. Ultimately, information-centric data security can bring about better partnerships between business and IT since the lines of responsibility for security can be clearly drawn.
Reduce costs and complexity. The device independence of information-centric security significantly reduces the number of separate device-centric or network-centric security solutions. Subsequently, it lowers acquisition costs, maintenance burden, and man-hours associated with integrating multiple pieces of hardware and software. The information-centric approach protects critical data assets themselves, regardless of the device or network that carries them. An organization can secure data with far fewer solutions and with far less man power.
Increase end-user transparency. A major cause of data breaches is when legitimate users, while trying to be productive, work around security restrictions. Why would they do such a thing? Because following the security practices dictated is often inconvenient and creates more work for them. A security solution should remain as transparent as possible to end users. If user workflow is not hindered or altered, there is a significantly higher chance that the security program will be followed, and hence be more effective. Information-centric security can be extremely transparent, since the protection is with the data itself. Users do not have to explicitly make decisions about valid devices, network authentications — all these policies are contained in the data itself and can be managed centrally, so they can operate as usual without interference.
The requirements of an information-centric security platform
The basics of information-centric security exist today, and they’re very well suited to commercial and federal data protection scenarios, particularly those answering the protection requirements of regulatory compliance. The following are the basic requirements for a true information-centric approach to data protection.
1. Smart data with embedded policies
Before data can be adequately protected, it needs to be easily identified and managed; you can’t hit a security target if you don’t know where it is or what it looks like. If data objects are enriched with metadata tags that carry security policies, that data can be empowered to protect, replicate, or even delete itself, as required. As a result, an information-centric security approach could enable files to communicate their vital characteristics to the devices they pass through, as well as to other data objects, throughout the cycle of their lives.
2. Universal policy language
To realize truly effective and universal information-centric security, security policies and the codes describing them need to become industry-wide standards. As data travels between servers, laptops, and removable media, the policies that govern its protection need to be enforced, regardless of the platform. To make sure those policies are interpreted uniformly throughout an enterprise, there has to be a common policy language, embedded in the data itself, that every device can understand. That way, no matter where the data moves or resides, or the security solution that protects the data, the policies governing its access remain in force.
3. User-friendly implementations
Any successful information-centric security solution needs to be transparent. That is, users shouldn’t have to modify their work habits or change their business practices in order to benefit from the security solution. If they do, the solution will almost certainly fail. Why? Because most people will reject changes imposed on their familiar work patterns and bypass new security provisions they consider a nuisance. Nor should an organization’s current software applications or computer platforms have to be upgraded as part of the security deployment; an information-centric approach is capable of working with any device, on any platform, without requiring special patches or programming. Otherwise, implementation costs will be prohibitive. Beyond that, essentially all IT environments today utilize legacy systems to some extent. That makes it difficult for administrators to justify major overhauls solely for the sake of security. But by taking an information-centric versus a device-centric approach, it is possible to create a security solution that can apply to multiple IT environments and, at the same time, avoid having to inconvenience users.
Click here to read the full text of Information Security for the Next Century: Why we need an information-centric approach to data protection by Dr. Pradeep Khosla, Carnegie Mellon CyLab (ISA Comments to Hathaway on Improving Information Security Architecture)