What should cloud enabled data security protections look like in the future?
Blog Article Published: 11/18/2013
While listening to one of my favorite podcasts about two months ago, I heard a quote from a man named William Gibson that really resonated with me. He said, "The future is here already, it's just not evenly distributed". As I was driving along continuing to listen, it really started the synapses in my brain to fire. I've been spending a lot of time lately thinking about a long-term strategic vision to enable a device agnostic, data centric protection vision for the future. My goal is to enable the integrated use of company data in the cloud, mobile, and enterprise assets. As I continued to listen, I started to wonder, if I were to look at the unevenly distributed future that is now, then what and where are the enterprise class Security, Risk, and Privacy controls that theoretically should exist today, that would enable me to truly break free of the barriers that currently exist preventing me from delivering a holistic, end point agnostic data centric protection vision? As I pondered the question that drove me to blog, I decided to set out to evaluate the industry to see what pieces and parts are actually available to see how far away we are from being able to build this ecosystem of ubiquitous data controls, that are platform agnostic, enabling me to use any cloud app, the big three mobile devices (iOS, Android, and Windows Mobile), and enterprise class endpoints (Windows, Mac, and Linux). Defining success in my mind meant setting a framework with a core set of principle requirements: 1) Controls must run on all my platforms. 2) Data protections must be able to be applied at rest, in use, in motion, and enable data destruction based on an automated function supporting a legal data retention schedule. 3) The controls must be capable of enterprise class management for any of the deployed technologies. 4) The technology must allow for the full spectrum use of the data across platforms. Essentially read, write, modify. 5) The controls must be able to employ several key data protection principles automatically:
- Identification and permanent meta data tagging of who created the data (Data owner)
- Automated user interaction asking, "What the data is?" (Data Classification)
- Automated and end user managed policy application of who should have access to the data (access control)
- Automated and end user manageable policy application of what should the group be able to do with the data (permissions)
- Automated workflow review of access rights over time (attestations)
- Automated ability to recognize data that should be encrypted, and give the option for the user to choose encryption.
- The solutions must allow an organization to retain/recover/rotate/destroy/retrieve/manage the encryption keys
- Centralized Logging: The 5 W's, Who, What, When, Where, Why?