Today’s Imperative is Information-Centric Security

• Available,
• Easy to use,
• Reliable/robust,
• Globally networked,
• Agile/adaptable to changes in business operations,
• Manageable and
• Cost-effective.

These information services are also viewed by a broad range of stakeholders as safe, secure and compliant to applicable regulations and audit practices.

Accomplishing a widely held consensus of safety, security and compliance requires a governance team and process that represent the viewpoints of all the business stakeholders and that involve and reconcile the often competing and conflicting objectives from each community of interest to arrive at appropriate solutions. The stakeholders from the IT technology side - security architects, IT technologists, user interface designers - need to work more closely now than ever before with corporate legal counsel, corporate policy-makers, risk management decision-makers, auditors and business managers throughout the systems development lifecycle. They also need to include requirements from outside the enterprise that may conflict with immediate enterprise business objectives, including those driven by public interest groups and government, because these communities are developing new standards of performance and regulations that place controls on information and the acceptable use of information systems.

In short, good information-centric security governance requires resolving tensions between competing public sector, business sector and consumer interests, which can be defined as the following:

• Public-sector interests are those that governments hold and are manifested in law, regulation and enforcement. Example interests include public safety, national security, critical infrastructure protection, macroeconomic financial risk management and consumer protection.
• Business-sector interests generally balance risk and reward with the objective to achieve optimal shareholder financial results. Wherever possible, risk is minimized for optimal return. To the business sector, information security is an economic risk management problem to be managed in favor of business objectives.
• Consumer interests center on the unintended consequences and assumed risks of the use and misuse of consumer information. Consumers have expressed interests in their controlling the use of information about them by both the business and public sectors. Government can assist the consumer through legislation and regulation.

While functional responsibilities and organizations will likely persist in any medium to large enterprise, resolving these tensions requires improvements in a cross-functional collaboration to develop a dynamic, process-oriented, information-centric security governance framework that ensures the right business decisions are made to arrive at the best solutions for that enterprise.

The Open Group’s Security Forum and the American Bar Association’s Cyberspace Law Committee are pioneers in this necessary cross-profession collaboration, in analyzing and recommending improvement to current, perimeter-based and proprietary-based enterprise-level information security practices. The groups are proposing a new framework for effective information-centric security, starting with the desire to control information flow inside and beyond the border of the business.

Information-Centric Security Starts with Control

Previous work of The Open Group’s Security Forum and the Cyberspace Law Committee has already recognized that the “control” of intangible electronic assets - i.e., information - is a functional equivalent for “possession” of physical assets in the physical world.1, 2 By extending the example of this work here, information-centric security becomes a question of maintaining the equivalency of ownership through control over information assets wherever they are. To this end, four key principles of control emerge:

• Information now is a “controlled substance.” Just like other controlled substances in the real world, information can be used responsibly and destructively, making information and its stores both assets and liabilities. The state expresses its interest in information control through use regulation and public disclosure in cases of loss of control.
• Control is a people, process and technology problem. Technology alone cannot control information. People must take responsibility for the information entrusted to them by adequately safeguarding it through appropriate administrative and technical control processes.
• Information can only be controlled within a perimeter - what The Open Group refers to as “the control environment.” Unless the information carries with it protection mechanisms that can enforce or extend control over its access and usage, once information leaves the controlled environment, its owner has lost control of it.
• Control at a distance is difficult. Controlling information within a managed application or firewall perimeter is hard enough. Extending that control beyond the enterprise is very hard but necessary to enable the global extended enterprise to share its sensitive information assets at an acceptable level of risk with its customers, suppliers, business partners and outsourced service providers. Control beyond the enterprise is accomplished through the establishment of and compliance with legal agreements between information-sharing parties, verifiable administrative, technical and physical control practices and standards that set expectations for control.

Extending Control Beyond the Enterprise’s Perimeter

Control beyond the enterprise’s environment is challenging because of two considerations:

• A larger group of professions and individuals beyond the information systems and technology people are involved. This increases the dialog, complexity and opportunities for misunderstandings to occur.
• Once information has left the controlled enterprise environment, all the information owner can do is place his or her trust in the control exercised (or not) by external people, processes and technologies. The primary technology is digital rights management in its broadest sense (rather than simply musical entertainment).

Compliance

Managing people, processes and technologies outside of one’s direct control has strong parallels with the general problem of compliance to external standards, regulations or policy. A generalized compliance model works such that if the corporate policy complies with the external requirements, legal and otherwise, and if the IT operation complies with policy, then the IT operation complies with the external requirements.

There are six major compliance activities:

1. Determine the compliance objective. Compliance must be discussed as “compliance to what standard or objective?” Compliance to legal and regulatory requirements alone may not be good enough to meet business requirements. Contractual obligations, service level agreements (SLAs), customer expectations and norms of good corporate citizenship all are external requirements that must be complied with.
2. Assess external compliance requirements. For those compliance objectives that are legal in nature, corporate legal must assess the external requirements to determine what applies to the enterprise and its business. Assessment of applicable law and contractual obligations is a legal function.
3. Establish corporate policy. For compliance objectives that are not legal in nature, business process people and corporate management must establish policy consistent with corporate business objectives.
4. Evaluate compliance to external requirements. Working with a policy group called “controls compliance,” the legal function must determine and document through a legal opinion whether the enterprise, through correct implementation of its policy, complies with the applicable legal requirements. Only the legal team can write this opinion, and the attorneys then assume that policy is followed.
5. Implement information systems compliant to corporate policy. The IT people must implement systems that are compliant to policy.
6. Evaluate compliance of internal systems implementation to corporate policy. The audit function assesses whether the information systems’ processes and technologies comply with corporate policy, providing management with assurance that the intentions of the policy have been carried out.

Extending compliance beyond your enterprise is usually established through formal agreements, such as a contract or SLA, and monitoring to verify the terms of the SLA are being met. Establishing SLAs is a business management and legal process, and verifying compliance to an SLA usually includes monitoring and reporting on system performance metrics.

Whether described as “deperimeterization,” “information-centric security” or “a framework for control of electronic assets,” the information security governance team must consider economic, policy and technical factors impacting the security architecture and represent all the different views needed to sustain all of the stakeholders in the process. Security as a combination of people, processes and technologies is nowhere more evident than in the control of information across enterprise perimeters. Corporate legal, corporate policy and internal audit are now among the key stakeholders in a corporation’s security architecture. The needs of these stakeholders in the past have not been well articulated within the IT architecture community, but they need to be.

Helping these new stakeholders better understand the processes and technologies used to implement policies is essential to making the compliance framework work. Cross-functional information security governance resolves the needs and tensions between these stakeholders, and security architects can take a lead role in facilitating this dialog between the different stakeholder viewpoints.

References:

1. The Open Group. “Framework for Control Over Electronic Chattel Paper - Compliance with UCC Section 9-105.” The Business Lawyer, Volume 61, Number 2, February 2006.
2. Uniform Commercial Code section 9-105, LII - Legal Information Institute - Cornell Law School.