The job of protecting sensitive data — keeping it within the corporate network and sharing it with only approved parties — calls for a shift in security philosophy.
That's the view of some industry executives who believe that the traditional model of perimeter security faces limitations today. Firewalls and other security measures may help keep the bad guys out, but they do nothing to prevent an organization's internal users from inadvertently or maliciously leaking critical data . Just defining the edge of a network — much less defending it — has become an increasingly ambiguous task as business-partner networks bleed into each other.
"As more open, flexible network access and distributed computing models dissolve the traditional network perimeter, the centralized ‘fortress' model for data protection can be increasingly impractical and ineffective," a recent Aberdeen Group Inc. report stated.
But market-research groups aren't the only ones to spot the trend. Jericho Forum , an IT security group that counts Boeing and Procter & Gamble among its members, has been exploring the "de-perimeterization" of networks since 2004. Jericho Forum operates within The Open Group , an open-standards consortium based in San Francisco.
In response to the blurring of network boundaries, some organizations have begun to focus on securing data. The general idea is to get security to travel with the data, as opposed to relying strictly on hardened networks and other IT infrastructure components.
Customers draw upon a number of vendor products as they pursue data-protection strategies. Encryption, data classification, data-loss-prevention and enterprise rights-management technology can all play a part in limiting wayward data.
The emphasis on protecting sensitive data — what Aberdeen terms an "information-centric" approach — is a recent development.
"Our research suggests that this newer info-centric approach is just now emerging," noted Derek Brink, vice president and research director for IT Security at Aberdeen Group. "Even the best-in-class companies … are just now adopting this approach," he added.
Aberdeen Group's research focused on encryption and key management, which the company views as the main underpinnings of information-centric security. The company studied the use of those technologies in more than 150 organizations. The resulting report , published in August 2007, ranked organizations according to such factors as their ability to identify sensitive data. The top 20 percent were placed in the best-in-class category.
Forty percent of those best-in-class organizations now support the use of third-party encryption solutions "in response to the pressure to protect sensitive data," the Aberdeen Group report noted. A quarter of the best-in-class category have begun to move toward an "information-centric, de-perimeterized approach of securing the data combined with protecting and controlling access to the encryption keys that secure the data," according to Aberdeen Group.
Brink said that Aberdeen Group's research came across information-centric security adoption in several industries, including high technology, financial, telecommunications, government, aerospace/defense and health care.
Jericho Forum, meanwhile, also cited encryption in the mix of security measures needed in a de-perimeterized network.
While encryption may be a foundational technology, industry analysts and vendor executives point to various product classes that help secure sensitive data. Among those is data classification. Companies need to flag sensitive data and identify where it resides in order to effectively employ encryption.
Carol Baroudi, research director for security technologies at Aberdeen Group, called the discovery of sensitive data "a very difficult task." Such data, she noted, can be found in email messages, Word files and PowerPoint presentations, among other sources.
Organizations need to define what sensitive data is and employ tools for locating it.
"If you don't have some form of automation, you're never going to find it," Baroudi said. "It doesn't all reside in one place."
Automation comes in a couple of forms. Information-classification tools often target storage management but may also be deployed to discover sensitive data. Vendors include Kazeon Systems Inc ., which offers an information-security and privacy solution, and EMC Corp . The latter company's Infoscape software may be used to identify files containing confidential information, according to EMC.
Titus Labs , meanwhile, offers a classification solution that targets Microsoft Office documents and email.
A broader class of products, dubbed DLP (Data Loss Prevention), also pursues data classification. Vendors operating in this space include Reconnex Inc . and Vontu .
Faizel Lakhani, vice president of products and marketing at Reconnex, said that understanding content is the essence of DLP. This month, Reconnex rolled out Version 7.0 of its iGuard DLP appliance, which includes a data-mining engine that the company says can analyze information to determine who should be permitted access to which sensitive data.
Some data-classification tools not only set the stage for encryption, but also trigger that function.
Titus Labs's products, for example, ask users to classify information via a toolbar in Word, Excel, PowerPoint or Outlook. Based on the user's classification selection, the company's technology then invokes administrator-defined policies, noted Charlie Pulfer, vice president of product management at Titus Labs. S/MIME (Secure/Multipurpose Internet Mail Extensions) encryption might be applied to a confidential email, for example.
Products may also invoke ERM (Enterprise Rights Management) solutions, which employ encryption to place restrictions on how documents may be used. Organization can use ERM tools to determine which users will be permitted to view, edit and print documents. ERM offerings include Adobe Systems Inc.'s LiveCycle Rights Management ES , EMC's Documentum information-rights-management solution, Liquid Machines's ERM products , and Microsoft's RMS (Rights Management Services).
Titus Labs's products are enabled to work with Microsoft's RMS, as well as any encryption software that works with Microsoft's CryptoAPI. Pulfer said that email encryption is a "little more prevalent" at the moment, but he pointed to large customers such as the U.S. Department of Veterans Affairs, which will deploy Titus Labs's Message Classification product and RMS.
Similarly, Reconnex is able to invoke encryption tools and ERM.
Industry analysts suggest that integration among DLP, ERM and other security components will become increasingly commonplace. Consolidation already is occurring. EMC purchased Tablus Inc., a DLP vendor, earlier this year. Vontu is reported to be a Symantec Corp . acquisition target.
"I don't think in three or four years we'll see as much focus on data-loss technologies," Baroudi said.
Baroudi said she believes that the technology category will be subsumed into a broader product set, noting that customers don't want to purchase solution components from multiple vendors.
Richi Jennings, lead analyst for Ferris Research's E-mail Security practice, noted that several vendors now offer product suites that encompass anti-spam , anti-virus , archiving and outbound content-control capabilities such as DLP.
"Organizations are moving from a buying decision based on a collection of products from different vendors to a single-source policy, where possible," Jennings added.