One of the many interesting themes to emerge from our Global Advisory Board meeting in Dublin earlier this year was the need for a fresh perspective on how we secure the data that’s critical or important to us. One of the speakers who summed this up was Mike Bass, head of customer strategy at Ionic Security. Mike has worked in the fields of cryptography and identity since the late 1980s, spanning technology companies like Entrust, PGP, Certicom, Baltimore Technologies, NetLock, HP, and the U.S. Air Force, as well as the banking and healthcare sectors, so he’s very well placed to talk about how security has evolved and where it needs to go next. Here’s a summary of his ‘fireside chat’ at the event, which built on ideas he’s previously articulated on a blog post at his new company.
Framing the problem as it exists today, he wrote: “We spend so much time, money, and effort protecting systems, applications, and containers because they house sensitive data. Our individual siloed security solutions protect data at a snapshot in time, within a specific system. That data then moves to another system where we have another security solution and another snapshot; then maybe, it goes through a CASB into the cloud, another snapshot. And, then to a protected container on my BYOD, another snapshot.”
At the event, he elaborated on these points, saying how IT and security professionals still protect numerous different systems by essentially ring-fencing those containers, which have grown in complexity over time. “The resources on protecting that data is enormous and wasted,” he said.
A centralised approach to data security falls short of today’s business needs because it is not set up to deal with two of the biggest developments in technology: cloud and mobile. If we can access our data anywhere, that has huge implications for how we protect and secure it. At one of Mike’s previous roles, he said it was difficult for the business to adopt cloud and mobile because of how its data security had been set up before.
This has stifled real innovation in the data security market for 20 years, Mike claimed. What’s more, this approach hinders the business from adapting or changing, because when information lives in a series of silos, it’s hard to gain value from it.
So, he started imagining a strategy that focused on securing the data first, rather than the container it lives in. Mike called it by various names: “information protection as a service”, or “a glorified key distribution system”.
The data is protected by a key tied to a policy which defines who can and can’t access the key – and therefore the data. “If I can give an enterprise this ability to have data portability, to say who can and can’t access this data based on policy rules, then I can also do this for a person,” Mike said. For example, an individual could choose to change health insurance provider and simply alter their security policy so the previous insurer would no longer be able to access the data. “That is the innovation that data protection needs right now,” Mike said.
Moving the focus on to the data and the policies around it is an essential part of this approach, because policies determine who does and doesn’t have permission to access someone’s data – which might not even involve opening a file but could just mean looking at a field in a spreadsheet. Crucially, this way provides visibility because the person requesting the data has to ask for permission, so the data owner sees who has accessed their information and when. It also provides control, and that’s increasingly becoming an important word when it comes to security. If you give me control – a benefit – then I’m far more likely to see security in a positive light rather than something that hinders me.
Do you think we need to start thinking about a data-centric approach to security? And if so, what role should open standards play? Let’s hear what you think.