RSA Data lockdown

Tom Corn, VP of product management and marketing, data security group at RSA, the security division of EMC, speaks to Mark Sutton on the viability of information-centric security in organisations large and small.

Are C-level executives regarding data as an asset and buying into the vision of information-centric security, rather than network security?

What I see is that businesses are certainly valuing information as an asset. The connection with security is perhaps the missing link. I think that businesses are used to saying: ‘I can leverage certain information in order to drive certain outputs of my business', but there has traditionally been a chasm between that and what organisations have done from a security perspective.

 

In fairness, more of the focus of security traditionally has been on things like availability infrastructure, security at the perimeter against external threats, protection against viruses, worms and malware, and it is only in the last several years that we have seen the focus shift into thinking about securing the information itself directly.

It is no surprise that what drives this is regulations, breaches in organisations or their peers, and an overall raising of consciousness of this. What has really had to catch up is the security processes to deal with the challenge of securing information.

Securing information is quite different to securing just about anything else, in large measure because it moves, and transforms. I can always point to my network perimeter, I can always point to my systems and my server, but it is hard to point to my credit card data because it keeps moving.

We have our financials in a highly secure database, but it is also sitting on disk, and it is getting backed-up to tape, and it is getting accessed by a series of applications, so the fact that we have a highly secure database is kind of irrelevant - it just moves.

The fact that we have all these infrastructure related security products - data doesn't care. I think it really forces a very new approach, which we are advocating, of information-centric security. In an information-centric approach, I say ‘what is our policy for credit card information?', or for healthcare information. What kind of healthcare information is sensitive and how should it be managed in different contexts.

Data is going to show up in places we can't even imagine, and tomorrow and in the future it is going to show up in even more places, as the market for PDAs, handheld devices and web services evolve.

The centre of the strategy is policies around information, and in order to make that work organisations are going to have to think about how they construct that policy, and the process of information discovery, as our infrastructure today is blind to data sensitivity.

The next critical element they are going to have to deal with is enforcement controls - encryption, authentication, authorisation - and those controls have to be coordinated in some fashion by these discovery mechanisms; and then there ought to be some way to audit the infrastructure, and compare it to the policies that you started out with.

This has really become the core of our strategy, and through the development of our solutions and some of the acquisitions we have made, RSA has been filling out some of these pieces.