We have all seen films where the defences of a medieval castle prevent the attackers from gaining entry – the deep moat, unscalable walls and impenetrable portcullis. From within the castle, the firing of arrows, canons and boiling oil poured onto the attackers all help protect the castle residents inside.
In many ways, a lot of the commercial, defence and intelligence organisations have treated their IT networks in the same way – protect the perimeter, and your information inside will remain safe. Unfortunately, today this isn’t the case; the perimeter protecting your information is widening. With the boom of Cloud services, an increasingly mobile workforce and the need to share information, the protection of the perimeter becomes even more difficult when we’re unsure exactly where the perimeter is, and the more opening doors we place in our perimeter, the harder it becomes to protect.
We still need to protect the perimeter using our existing network-centric security tools, but also need to protect the information we store inside our network. An information-centric approach uses classification and encryption to protect the information wherever it moves, placing less importance on where your information resides.
Classification of your information at the point of creation is key to the success of information-centric security; this is very familiar to the defence and intelligence communities but may require an important mindset change to some commercial organisations. Once your information is correctly classified, you begin to understand the sensitivity of your information, and can treat it accordingly – a document containing project plans is more sensitive than a document with today’s restaurant menu, for example.
Metadata is the usual method for storing the classification with your information, but for protection of your information, the classification must be cryptographically bound to your information (this prevents your sensitive document becoming insensitive). Also, to facilitate information sharing, the metadata cannot be bespoke to your organisation; otherwise sharing information is made more difficult with unreadable classification metadata.
With the information classified and protected using a common format, the organisation can now begin to apply access control policies to control the flow of information throughout the entire network. Who needs access to the information, the location of the user, the type of device they are using are all factors that may affect whether a user has access to the sensitive project plan document.
The ability to control the sharing of information is made easier with information-centric security. Ongoing, rights management technology can be applied (using an open standard) to control access to the information after it was shared, as we may only want to share sensitive information externally for a limited time.
Data is the building blocks for information, and it is information we use in our everyday lives. By adopting an information-centric security approach, we can begin to control, protect and monitor our data wherever it resides.