Posted by: Heather Clancy
Authors, Heather Clancy, Network and application security
I saw a provocative presentation earlier this month by Dennis Hoffman, a senior vice president for RSA, the security division of EMC. Hoffman really brings a no-nonsense, solution-centric mindset to the whole security conversation, refreshing in someone who represents a product vendor and (understandably) is trying to sell more products. His thinking is even more refreshing when you consider that Hoffman gave this speech on behalf of a VAR (Network Computing Architects) to a bunch of said VAR’s customers. Talk about a readymade pitch opportunity.
Here’s how the argument goes. For a long time, the accepted practice for anyone addressing a security problem has been to look at creating some sort of boundary that keeps people who shouldn’t have access to information from being able to see it, steal it, use it, alter it or otherwise mess with it. Put up a wall, and keep the bad guys out!
The major shortcoming of this mindset, however, is that information and data isn’t all that useful if it’s locked away for no one to look at. Who is a bad guy? Or, actually, when is a good guy a bad guy? The lock-and-key approach is virtually the same whether or not the court jester’s instruments or the kingdom’s crown jewels are on the other side.
The good news, according to Hoffman, is that the notion of what he calls “Information-Centric Security” is becoming easier to sell. That is, getting better at classifying information types in the first place and putting in place a strategy for managing who can touch it, why and under what circumstances.
The job of the security VAR, then, becomes not one of protection but one of access management. “If you can’t classify information, then you have to protect all of it or none of it,” Hoffman says. “Information is inherently mobile.”
The way Hoffman sees it, there are five basic services that a security VAR can provide to some extent or another as they look at a broader data management policy. These include:
- Risk assessment
- Access management planning
- Infrastructure security
- Data protection
- Compliance assurance
If you think about it, many technology solution providers who make security their business today have been focused on securing the infrastructure. Indeed, it would be irresponsible not to do so. But it is equally irresponsible not to take a closer look at the nature of the data itself.
As data becomes dated, for example, and is moved from near-term storage into archived format, does that mean the potential liability of disclosure is any less?
Given that RSA is now owned by data storage giant EMC, it’s easy to pooh-pooh Hoffman’s focus on information. The fact is, though, data storage and security should be much more integrated than they are. The more a security VAR can talk about protecting information vs. protecting the network or some random piece of equipment, the better than dialog will be received.
Channel advocate Heather Clancy writes frequently about channel business issues.