"Pragmatic Security" Coming Into View

Submitted by Mike Rothman on Mon, 2006-02-20 09:30.
::

Whenever I go to a big industry gathering, it always provides a great opportunity to validate (or not) some of my new thinking about trends and directions in the security space. So, one of the trial balloons I was floating during my meetings was a new "taxonomy" for enterprise security.

OK, I know what's on your mind. Why the hell do we need yet another taxonomy? Who cares? How does this help me do my job? All of these are legitimate questions, mind you.

Basically, the complexity of the sheer number of security exposures that need to be addressed is overwhelming. I can't tell you how many folks I saw at the conference that seemed just dazed, and I'm pretty sure it wasn't the spiked punch at the parties. Folks are confused. They are not sure what to do next. Every vendor has the same message. There is no differentiation. Users don't have a simple architecture to work towards, so I'll throw something out there and continue to flesh it out in the coming months.

I'm calling it "Pragmatic Security" because that's what it aims to do. It's not about being smart or being right, as the vendors would lead you to believe. IT'S ABOUT BEING PROTECTED. Remember, Job #1 of any security professional is to make sure nothing bad happens. You don't have to be elegant, you just need to get the job done.

Pragmatic Security is about that. Get the job done, with a minimum of effort and resources. Given that my target market is mid-sized businesses, this philosophy is going to resonate big time.

Selfishly, I need this taxonomy too. There are just so many things going on, I spent a decent amount of time at the show somewhat dazed as well. In my case, it probably was the spiked punch (and lack of sleep), but that is another story. By structuring the conversation on security, we can all gain context and get a feel for how all the pieces fit together.

In the world of Pragmatic Security, the world is broken up into 5 distinct areas:

  1. Infrastructure Security - This is a bucket for the traditional network, host and endpoint protection markets. Basically this is about securing the pipes and platforms from intruders and other malcontents, and enforcing who can get access to what physical resources.

  2. Information Security - This is about securing the content within the applications, once the application is accessed - working in a complementary fashion to infrastructure security controls. The private data and intellectual property floating around your systems need another layer of protection and rules for how, when and where the data can be used.

  3. Identity - This layer defines who you are, what entitlements you have, and a clean way to provision and manage access to both the infrastructure and information. It integrates the infrastructure and information security domains by providing context to what is actually being protected. This is also the domain that defines inter-enterprise data and application sharing, in that federation can provide the means to share data among various trusted parties.

  4. Policies - This section addresses need to structure and enforce the "rules of engagement" for the infrastructure and information in use. I'd love to have just one policy, but that isn't practical. Here is where we'll get the biggest bang from integration, even if it's logical integration. By being able to manage to a consistent policy, life gets easier. A lot easier.

  5. Reporting - The marketer in me forces the discussion of how you define sucesss and assembling the data to prove it. Note that this is NOT called "compliance," though the reports clearly are meant to be presented to the powers that be to prove diligence in protecting private information. Compliance is a fad, reporting is a necessity. Having a spigot to pump data from the various domains into a reporting engine is critical. From a forensics standpoint, it's also a consideration to make sure this data is not messed with, which can impact the integrity of the data and render it useless in a legal context.
That's it - 5 buckets. Obviously in each bucket there are lots of components, but this simplified model helps me understand how everything fits together. Let me know what you think, it's clearly a work in progress.

The ultimate intent is to delve reasonably deeply into these topics in a "manifesto." The manifesto will be built incrementally, starting with Identity - given that's the topic of the first battle plan. Infrastructure security will be next after that. Once completed the manifesto will be expanded into a "security planning guide," which will give users a structured plan and methodology to guide security endeavors. Stay tuned.

I like your comments about
Submitted by Scott Santucci (not verified) on Sat, 2006-02-25 09:30.
I like your comments about compliance being a fad. Secuity as a whole is a discipline that is hard for business executives to take seriously because most of the practitioners are techy and "you can't do that" kinds of people. SOX (and other regulatory efforts) is a fantastic wake up call to the entire discipline becuse it is going to force a conversation about security into more of a business relevant venacular. However, working with other large provider of enterprise security offerings, I've seen compliance iniatives to be a big driving force behind many security efforts (especially Identity Management). If you and I were speaking with a CISO in an organization that is pounding away on SOX compliance, and does not have the time to really think about a more holisitic security approach, how would we tell that person that compliance is "just a fad"? I guess to put it another way, how could we help that person get more leverage out of their work by helping them create a holistic plan?

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.