What should cloud enabled data security protections look like in the future?
Published 11/18/2013
While listening to one of my favorite podcasts about two months ago, I heard a quote from a man named William Gibson that really resonated with me. He said, "The future is here already, it's just not evenly distributed". As I was driving along continuing to listen, it really started the synapses in my brain to fire. I've been spending a lot of time lately thinking about a long-term strategic vision to enable a device agnostic, data centric protection vision for the future. My goal is to enable the integrated use of company data in the cloud, mobile, and enterprise assets.
As I continued to listen, I started to wonder, if I were to look at the unevenly distributed future that is now, then what and where are the enterprise class Security, Risk, and Privacy controls that theoretically should exist today, that would enable me to truly break free of the barriers that currently exist preventing me from delivering a holistic, end point agnostic data centric protection vision?
As I pondered the question that drove me to blog, I decided to set out to evaluate the industry to see what pieces and parts are actually available to see how far away we are from being able to build this ecosystem of ubiquitous data controls, that are platform agnostic, enabling me to use any cloud app, the big three mobile devices (iOS, Android, and Windows Mobile), and enterprise class endpoints (Windows, Mac, and Linux).
Defining success in my mind meant setting a framework with a core set of principle requirements:
1) Controls must run on all my platforms.
2) Data protections must be able to be applied at rest, in use, in motion, and enable data destruction based on an automated function supporting a legal data retention schedule.
3) The controls must be capable of enterprise class management for any of the deployed technologies.
4) The technology must allow for the full spectrum use of the data across platforms. Essentially read, write, modify.
5) The controls must be able to employ several key data protection principles automatically:
- Identification and permanent meta data tagging of who created the data (Data owner)
- Automated user interaction asking, "What the data is?" (Data Classification)
- Automated and end user managed policy application of who should have access to the data (access control)
- Automated and end user manageable policy application of what should the group be able to do with the data (permissions)
- Automated workflow review of access rights over time (attestations)
- Automated ability to recognize data that should be encrypted, and give the option for the user to choose encryption.
- The solutions must allow an organization to retain/recover/rotate/destroy/retrieve/manage the encryption keys
- Centralized Logging: The 5 W's, Who, What, When, Where, Why?
6) There has to be minimal user interactions or behavior changes in the way the users are used to working with/creating the data
7) The ability to recognize the "dual personas" of devices supporting user data creation (personal data, and corporate data existing on the same asset), only instantiating the controls for corporate data.
It has been an interesting two months since I set out on this quest. I've met with at least 70 different security technology vendors, scoured the internet looking for new ideas and new technologies, called friends all around the world to hear what they have been seeing, and have even been meeting with VC firms to see what's on their radar. The answer I have come up with so far is that I believe Mr. Gibson is sort of correct. The future is definitely almost here, the technologies are independently scattered, and you can't accomplish everything I set out to do today quite yet all from one (or even three) technologies, but I believe in the very near future, we could accomplish this goal with some effort.
Let me tell you why I believe this. Today, if you think about cloud, mobile, and enterprise data platforms/assets, everyone does basically the same things with them. They generate data on or with them. If you think about my requirements, it’s odd to me that these have all been solved really everywhere but at the endpoint. If you boil down the core problem, we want data to be accessible on endpoints, but yet we have no common middle component that enables us to enact all of these reasonably sane security, risk and privacy requirements.
It seems pretty simple when you think about what we really need if you look at the common denominator. The data is always the same on every device, we just need something that can go with the data, a wrapper if you will, that enables all of my security risk and privacy requirements.
I believe what we really need to tie all of these requirements into one holistic solution that is A multi-use agent that runs on all of our platforms, that can be employed when and where needed, with appropriate provisioning, that would essentially provide you the ability to share and interact with this secured data, all while retaining control with confidence.
If we look at where the future is taking us, data is generated on endpoints and stored in files, it is being manually moved to cloud platforms like Dropbox for example, or automatically through services like iCloud, and it is being entered into cloud applications (private and public) as raw text. If we look at how we create data, we use relatively the same sets of technologies across our end user compute nodes. We use things like office productivity suites, PDF generators, or manually input or batch load data for example. So if we make the leap that fundamentally we all compute the same, and while computing, we all really generate data the same, what is stopping us from being able to take the next logical step, automatically inserting a corporate protection layer for the data we generate at the time of creation that meets all of these requirements?
I think the answer is obvious why there are no heterogeneous options right now. Even though the basic fundamental principles of data protection I described are not a mystery, the fundamental challenge we have is how we get our vendors to develop a data security enablement model that supports our overarching needs to share and use corporate information in a cloud/mobile/enterprise model with the appropriate protections for information in this cross platform world.
We have a myriad of point technologies that solve these specific requirements I laid out for databases, file systems, proxied access to cloud apps, and email, but the one thing we lack (which in my mind is the most critical thing), is a cross platform endpoint DRM like technology that runs in every major end user compute platform (Windows, Mac, Linux, iOS, Android, Windows Mobile) allowing us to apply all of the principles I talked about, but still having the ability to natively use the various apps and tools we currently use today when working with our data. It seems silly in retrospect that when you look at the common denominator, it's the most logical place to start, focus on the data itself.
V.Jay LaRosa
Senior Director, Global Converged Security Architecture
Office of the CSO
As the Senior Director of Converged Security Architecture for one of the world's largest providers of business outsourcing solutions, V.Jay leads a global team of security architects with responsibility for the end-to-end design, and implementation of ADP’s converged security strategy and business protection programs. V.Jay and his team of converged security architect’s cover the entire spectrum of Cyber Security and the Physical Security protections employed at ADP. Additionally V.Jay is also responsible for the Red Team program at ADP as well as the Advanced Fraud Technologies program which is used to identify, design, and oversee the implementation of a myriad of advanced techniques and technologies used to defend ADP and it’s clients funds.