Tuesday, December 9, 2008

DLP is dead. (Not yet, but soon)

Ever since Richard Stiennon came out with his "IDS is dead", he started a trend which even he subscribes to by declairing any big technology to be dead. I really believe though that Information Security products go through a cycle.

I was explaining this cycle to Dominic White a couple of weeks back and we were rudely interrupted by the meeting that we were in fact attending. Had I managed to finish then maybe he would be able to answer the question he asks on his blog. (This is also assuming that he agrees with me, which is not a foregone conclusion.)

The first part to any Information Technology solution is to slide the technology in making the least amount of pain for users and fixing the maximum amount of problem.

Example - Firewalls back in the old days were open by default and as problems were detected, the Admin would close ports and fix routes until the problems were gone. I call this Generation 1. This worked fine until the admin was too much and firewalls started being configured closed by default and opened as needed (Generation 2). I think that the third generation of this is "closed by default, opened for business reasons". We may think we are there but we are not really.

If you use a tool like websense or surfcontrol to control web browsing then you'll be at Generation 1 for browsing. Antivirus is Generation 1. Email is Generation 1.

I believe that we will see a jump to Generation 3 for all of these tools but the uptake will be very slow.

Generation 3 is where every action that someone takes has a strict business reason. A user sends an order to a supplier. The email system knows who the user is and whether they should be ordering something or not. Based on that - the email goes through.

Does this sound like some sort of workflow application? Bingo!

Now, consider DLP and DRM...
DLP is Generation 1 - allow everything and block bad things from happening. DRM is there too - let your staff decide what restrictions to put? Doesn't work. Put them together and you get closer to Generation 2 (assuming that you are prety tough with your DLP rules - otherwise - why waste your time?). Generation 3 is where things get interesting - Dave in finance creates a document and lables it "financial results". Workflows are built up automatically around the document and are enforced as such:

The file server is configured to allow only Finance people to access document. Auditors can open the document but make no changes. The firewall will not allow the document out of the organisation, mail server will not allow the document sent out. The antivirus (horrible word - very Generation 1.. lets use "application handler" for Gen 2+) will only allow certain programs like excel to access the document. Anything else is blocked and an alert is fired up.

At a certain date the document is "allowed" to be sent to the communications department who can't make any changes.

You may have a DLP box watching what is happening. You'll certainly have a box with policies and workflows on it (I have a feeling Microsoft want to control this) but everything from smartphones, routers, switches, mail servers, PCs, programs, databases will be "process-aware".

DLP will become part of the "defense in depth" solution but everything will have content protection built in. Welcome to the future.

No comments: