Where to from here?
By Graham Williamson, Senior Analyst, KuppingerCole.
A recent post by John Dunn about what’s hot, and how long is it going to be hot, got me thinking – how does a security guru decide where to place his/her interest and how do you decide in which area to develop expertise? I’ve met many highly experienced security consultants who are stuck at level 3 in the OSI stack and don’t seem to realise that the wave has passed them by, there is no network perimeter anymore and the demand for expertise in configuring firewalls has, at best, plateaued. But rather than bemoaning our lot in life let’s look at the future, it’s remarkably bright.
It seems there are two broad directions in developing expertise that our clients will find attractive: in the networking space Software Defined Networking (SDN) is the direction, but there’s possibly more fun to be had at the application level with Information Rights Management (IRM).
There is no doubt that SDN and its cousin NFV (Network-Function Virtualisation) has changed the way in which organisations deploy and manage networks. Most network suppliers now offer virtualised network infrastructure that lets you forget where your applications and data are stored and magically operate anywhere in the world with your network supplier managing things in the background. Cisco has coined the phrase “fog computing” to indicate that we should no longer think in terms of data centers, the location of our applications and data is meaningless. I saw an interesting presentation from DELL that showed a user in the US climbing on an airplane, travelling to China and logging onto his application, with the network supplier managing the application deployment over the network in the background. While the presentation raised more questions than it answered the overall message was clear – access to applications and protected resources is no longer managed by AD groups – it’s a lot more interesting than that and the network guru who can explain what it means to their clients is a valuable resource.
At the application level things are equally exciting. Thanks to the Sony Enterprises debacle clients are running, not walking, to embrace secure information sharing technology. If you think about it – that’s the only thing that really matters. If we didn’t need to share documents or data we could lock everything down really tightly and have no worries about compromise. But that’s not reality – our staff want to work on cross-functional teams, our sales department wants to give clients access to production reports and our legal department wants to share confidential board meeting minutes with an external auditor. The environment in which we now work is complex but it does not have to be porous. Companies providing secure document sharing are enjoying record interest. At the core of most applications is Microsoft rights management technology, currently undergoing major development under Azure Rights Management product program. AWS have developed an impressive product in WorkDocs and EMC have retained interest in their recently sold Syncplicity offering.
There are basically three areas to worry about with IRM (Information rights management) – data at rest, data in motion and data in use.
“Data at rest” is typically achieved via encrypted storage. If everyone is sharing a common pool of documents it is not too difficult to encrypt the lot and give the decryption keys to those that need it. But with the predominance of Dropbox, OneDrive and working from home it’s typically a bit more complex.
“Data in motion” is generally achieved with a VPN (Virtual private network) or via TLS (Transport Layer Security) but, if documents are encrypted anyway, this is often not required.
“Data in use” is where it becomes interesting and is a major differentiator when choosing a solution. Many product offerings require a proprietary client to be installed on end-point systems. While this solves a lot of problems for companies with a distributed SOE (Standard Operating Environment) it’s not so easy for BYOD (Bring Your Own Device) environments and mobile devices. Since most millennials don’t want to be tethered to a desk and would be lost with anything bigger than a 6 inch screen we need a solution for phablets. Many suppliers only support view properties on mobile devices but users want to edit and print. Another big differentiator is document classification. There’s not much point in having a good permissions-based document security system unless it’s easy for users to classify their documents. Some vendors provide a policy-based system that automates the classification task to some degree.
So this is another area in which a good consultant can save their clients’ money and aggravation by understanding their needs and planning the solution.
Yes – the future is bright.
Graham Williamson is Senior Analyst at KuppingerCole and covers the areas of Identity-as-a-Service, Dynamic Authorisation Control and Privacy. He has consulted in the Identity Management sector for 15 years and is the author of the book “Identity Management: A Primer”. Graham holds a bachelor of Applied Science degree from the University of Toronto and an MBA degree from Bond University. He has practical experience in the identity management and access control industry having completed assignments in the academic, government and large corporate industry sectors across three continents.