The Challenge of Integrating Security

To illustrate the point just in the area of key management, a Computer Weekly survey found that 88 percent of organizations had multiple administrators managing their encryption keys.  And that doesn’t mean that those multiple administrators are required to look over one another’s shoulder when other keys are accessed, it means that they have a lot of different people who have to have access to the keys.  And 22 percent have ten or more.  This basically means that there’s a lot of opportunity for things like collusion or wiki leaks or insider threats.  It also speaks to the complexity of the environments and the need to have all these people trained on these systems just to understand them. Interestingly, 42 percent of administrators are managing encryption technologies from at least four suppliers while eight percent are dealing with more than ten suppliers. This is amazing considering the complexity that can exist in one encryption system and then having to deal with ten is just remarkable.  But I can also understand why people say well I need to protect my servers,  I need to protect my Macs, I need to protect my Windows devices, my handheld devices, etc. It’s understandable how you could quickly get to four or more technology platforms for encryption.

But it doesn’t have to be that way.  What really then is the core problem that’s driving the complexity and the change is the fact that the traditional approaches just aren’t working.  There are a lot of problems organizations are dealing with but one of the fundamental problems is the fact that users are now self-sufficient.  We have a self-sufficient population.  I mean they don’t wait for IT.  They move data immediately to solve business problems.  That’s what they’re paid to do.  They do that 24/7 because nobody works a regular day anymore.  So, our users are self-sufficient and the technologies they use are more self-serving now.

There’s lots of different technologies and startups out there trying to make technology more and more simple.  Today, you can have what might’ve took IT six months to develop in years past – instantly.  You can have computed storage in minutes now, at the most hours.  That kind of pace, that kind of rate of change means that data flows instantly.  And so, we have to set up systems that first of all anticipate that and where data protection is built in what our users are going to do.  Giving them paths that are approved, good paths to follow instead of blocking or missing the paths that users come to follow.  And obviously this is not a trend that’s going to change.  This is only going to get worse going forward.

So there’s a new approach really that we need to take.  We need to not depend on setting up perimeters.  And of course everybody’s heard this for years.  We’ve been talking about it in the security industry – the perimeter’s dead.  I remember years ago we used to talk about how there is no perimeter.  And there’s a lot of good work done by the Jericho Group and others who tried to get that message out and I think by and large people have received that message.  But what we have not really gotten to is what is the unified consistent data protection strategy.

Stay tuned for my next post on the solutions to this….