Thursday, May 22, 2008

Information Centric Security is dead!

Ok,ok, I just want to jump on the bandwagon. It seems you are not regarded as an innovative and forward thinking Information Security Blogger unless you declare something dead so I will do that with Info-Centric Security.

So, what do I elect to replace this with? Process-centric Security.

I think that as we get closer to Information Security Nivana (and isn't that what we really want?) we will start to get closer to the point where we look at Business and how it uses Information to do what it does. We define processes, work out what Information is needed, add in resources and voila we have all the information (process, standard, information classification, user details, etc) that we need to properly define and hence secure a process.

If this brings back bad memories of Flowcharts and the like then maybe, just maybe, flow charts are what we really need to secure our businesses. Maybe when we decided to throw out all of those tools we had way back when, we did it without thining of the repurcussions. The goal to get a "Fast Company" and "be more adaptable" and "beat our competitors" just made us more sloppy and insecure. It may be a good time now to reassess.

And, by the way, Information Centric Security is not really dead... its just part of this larger idea, just like IDS is part of IPS.

Thinking out the box

I am going to predict the future of the WWW and how Information Security will have to adapt in the next few years.

This will take some time to secure and will take some time to get accepted but this is (IMHO) coming so brace yourselves. Life is going to get very interesting, especially for the Information Security guys out there.

This is actually not a new concept - Novell and Sun were working on these ideas about 15 years ago but the world and the Internet were not yet ready. They are now or, at least, they soon will be.

WEB 1.0
This is the Internet as we know it. HTML with some scripting for the pretty factor. Some media added in. Not much interaction. Security is easy here. Make sure that no wiggly things make it from the web onto your network. Make sure that users don't visit sites that waste time and shock people.

Web 2.0
This is the big catchword but I don't think we are where we should be. Web 2.0 is a taste of things to come but we are still chained to web 1.0 thinking. Information is swopped but format and location of information are still king. XML is just starting to come into its own and information is starting to become self-aware. The same information can be represented in totally different ways on different pages but the tools are new and websites are built around specific purposes. Sites with open APIs like Facebook are starting to take hold. Security is starting to become difficult - we have to make sure that internal data doesn't become external data.

Web 3.0
This is the new buzzword but I think it is merely more extreme web 2.0. Early examples of this are Yahoo Pipes, facebook's API etc. Sites with open tools to manage information. Information flows and is not bound to a certain site, location or format. Information Centric Security becomes key here. I think that the tools have not been developed or have not been properly developed.

Web 4.0
Cloud computing. This has been around for a while but it will soon come into its own. Combine GMail, Google Reader and technology like AJAX (of course), Google Gears and Mozilla Prism. I'm sure that Microsoft and Yahoo etc all have their own versions of the above and there will probably be some small niche players too.

Keep all the above free (with advertising) and you get a very useful and smart Office Suite that allows for collaboration and features such as backup and works wherever you are. This is exciting stuff but the assumption is that your data will be safe.

This is a bad assumption. This is Information Security's next headache. The problem with this is that like wireless and portable devices and USBs and the Internet etc etc.. cloud computing will happen. Businesses will need to do it and they will do it. We need to make it secure. Applications such as Microsoft Office etc are already terminally ill, it is just a matter of time...

The next race between Microsoft and Google and Apple will be in this space. I believe that the winner will be the one who can ensure the security of the information stored on their network.

Of course, cloud computing is a walk in the park compared to what will be next:

Web 5.0
This is where it all gets mad. Think Web 4.0 mixed with P2P such as Skype and Bit-torrent. Add in a bit of virtualisation. Your data is hosted on 100 different people's personal machines. In exchange you host 1000 people's data on your machine. A piece of your company's still-to-published annual results are split up between a mac in Japan, an iphone in brazil, 3 pcs in the US and a linux server in the UK. It is xored with Bill Gates's personal phone list and another 6 people have spare copies. If the UK box falls off the Internet then another box picks up where it left off. Processing is done by a further 3 machines, one in Namibia and 2 in China. Each time you access your data the communication takes a different route bouncing off 10 machines between you and all the places that your data is. At any one time you have no idea where your information is. Information Security becomes part of the network - all files have to be encrypted and there are numerous copies of it.