I was chatting with my boss the other day, and he mentioned how experts were saying that security has moved to the host. He was referring to the fact that in the past, most security was provided at the network perimeter, using firewalls originally, then moving to intrusion detection and prevention systems, VPNs, and so on. Basically, all security was at the perimeter, and if the bad guy could get through that, it was party time.
As he said, we have moved into a new phase where we’ve done a lot to protect the network, and the focus has shifted to the host. We are seeing lots of systems that harden servers, monitor critical files, audit access, detect incidents, etc. directly on the host. Now the landscape has changed for the bad guy: he has to get through the perimeter defences and get onto the target host, and not be detected in either case. With host-based security software running throughout an enterprise, it is getting more difficult to successfully break into a system without a helper on the inside. We all know who this helper is: the user, who runs software on behalf of the bad guy by clicking on attachments and installing Trojan Horses or viruses. Some host-based software can help with this, but it is still a big problem that is looking for solutions. (Does anyone have any brilliant ideas they’d like to share?)
Another development is that recently companies have begun to take it to the next level: data security. They’ve (hopefully) protected the perimeter and the hosts on the inside, and now want to protect their valuable data; after all, this is often what the bad guy wants in the first place. These companies are protecting data with tools such as network encryption (TLS, SSL, etc.) for data flowing over the network, and other tools for encrypting data at rest, such as PGPdisk, Microsoft EFS, and database encryption tools. Some companies are encrypting email messages using S/MIME and bulk data transfers using various tools such as PGP or GPG. From my experience, this is the area where a lot of companies are concentrating their effort, and this is based on regulations such as the California SB-1386 legislation, as well as HIPAA and other regulations.
So we’ve gone from network, to the hosts on the network, to the data stored on and flowing between the hosts, but there is still the next level: the information inherrent in the data. Some data is interesting for bad guys (such as credit card numbers and other demographic info), but it is information that is really valuable. This information includes reports, strategic direction, mergers and acquisitions documents, unpublished financial information, etc. That is, the Word, Excel, PowerPoint, etc. documents that are created based on the data and the talent of the employees. In my opinion, these are the truly valuable assets of the company, and for the most part, they are completely unprotected.
This is why I think the next focus for information security will be rights management. Rights management may work out to be the last line of defence against hackers (“I’ve made it all the way to the server storing all the executives’ files, but I can’t read them because they are rights protected!”) and the first line of defence against users’ mistakes (“I accidentally sent our unpublished financial statements to our web hosting partner rather than our accounting partner!”) In this way, I can see rights management as an important piece to the IT security puzzle. In fact, one might call rights management the only security measure truly protecting information.
Of course, rights management is no panacea: the other security measures are still very important. In addition, authentication is critically important in a rights management context; if I can get the system to think I’m the CEO, rights management is probably not going to help me. Even so, I think that RM will increasingly be a focus for security professionals over the next few years.
What do you think? Am I crazy or am I on to something? Please hit me with some comments and let’s discuss…