What Happens When Data is Separated from the Systems and Applications that the Data Owners control?
Cloud computing, virtualization, mobile devices, and social networking are consistently listed in the top concerns for CISOs in 2011. And rightly so: the primary line of defense for our information assets had been the Internet perimeter and conclaves. As a consequence, our main security strategies have focused on the network and hosts rather than the data.
But it’s a brave new world and it’s time to send our precious data into the wide world, and set it free to fulfill its potential. Unlike children, whom we imbue with the intelligence to avoid getting in cars with strangers bearing candy and to identify themselves with a purpose, data cannot be reared.
Or can it? I’m not talking about artificial intelligence, at least not in the near term. Perhaps we don’t make the data self-aware, exactly (we don’t want another SkyNet apocalypse, after all), but at least make it smarter, give the data itself a suit of armor.
Today, access is controlled at the network, systems, directory, and file levels. Applications and databases can impose more granular control. However, when the data is separated from the systems and applications that the data owners control, such as in the cloud (IaaS in particular; SaaS and PaaS both define and control the data) or on mobile devices, all bets are off.
A few of the fundamental problems with untethered data are:
• Lack of access control: Traditional controls, like what roles and users can read or modify data, may be available through the cloud or mobile application, but malicious insiders can still copy the data and forward it elsewhere, out of your span of control.
• Data identification: What is the sensitivity of the data? What application is it associated with, notes in Microsoft Word, but perhaps which SaaS or PaaS, including relevant properties and restrictions.
• Anti-tampering: The ability to detect not just if it was tampered with, but where, when and by whom. Optimally the data would have the capability to report back to its organizational security intelligence program and tell the story of where it's been and what it's done.
Putting on my developer's hat, I envision data as an object composed of some sort of universal code, the data, and accompanying properties. To protect the information and code, it could only be run on a system controlled by the data's owner, perhaps using a method similar to public/private key pairs, and aside from innocuous information about the certificate, everything else is encrypted.
The benefits are manifold: you could revoke access to any individual at any time, self-destruct the data (well, the decryption keys anyway), and implement true data-in-motion DLP, just to name a few. Additionally, you could provide tiered access to the data or properties based on role or user, which would be useful in helping cloud providers make intelligent decision on how to store and handle the data, for example.
Of course, once the data is presented to the user in its unprotected form, all bets are off. It may be possible with some applications to impose granular usage restrictions, such as permitting or denying copy/paste and printing, but ultimately, unless you control the endpoints, users can take screenshots, or as our CTO points out, just take a snapshot of the screen with a smart phone (or spy camera disguised as a watch if you work in a high-security environment that restricts photographic equipment).
I've floated the concept by some of my colleagues in the infosec industry and more than one have scoffed at the idea as impossible or as likely to succeed as PKI. And yet the idea is compelling. The engineers who invented the ENIAC didn’t let vacuum tube technology stop them, and you could argue that because of their vision and refusal to heed the defeatists, today we have a computer five million times more powerful, whose utility and application couldn’t even be imagined in the 1940s—including a phone without a cord—and to top it off, plays music, in all modern consumers’ hands: the iPhone. And touch screen input? Preposterous!
Admittedly, there are quite a few details to work out, some rather large. For example, there would have to be an accompanying infrastructure to support redundancy, geographic availability, encryption keys, etc. I’ve heard enough industry experts state that we need to start protecting data instead of systems to know that we have to do something. This is what I say to the defeatists: we put a man on the moon with only eight years from inception to the first step on that dusty planetoid, and with a fraction of the technology we have today. That momentous accomplishment started with a vision and a directive to the best and brightest in the nation. The engineers and program managers tasked with that mission didn’t bluster and dig their fingernails into the doorframe, and neither should we.
My idea may not be perfect, but it’s at least a back of the napkin sketch of one possible outcome. What’s yours?