Today’s Imperative is Information-Centric Security

Controlling Information Flow

Information Management Magazine, May 2008

Mike Jerbic

For more than 20 years, enterprises have clung to the idea of securing operating systems, networks, storage, communication channels and all the hardware they run on. These investments protected the computing equipment, which is now relatively cheap and easily replaced. The theory went that by securing the equipment and entry points within the enterprise, the information residing therein was safe and secure.

Today’s global business enterprises demand a framework that ensures their IT systems information security addresses the current realities of enterprise, network and information sharing and access.

Globalization, service orientation and outsourcing have changed the requirements from those of the last two decades. Global businesses demand secure IT operations over open networks (i.e., the Internet) so they can share information in a controlled way with their business partners and customers. Information services providers derive their business value from their ability to maintain “asymmetric” differences in information availability. For some enterprises competing in the information age, managing information scarcity or flow is their only business advantage - the only thing worth preserving. Because the information is what is valuable now, we need to focus on its protection. Information-centric security is the new goal, and accomplishing that goal will require improvements in information security governance and architecture.

Governing Information-Centric Security

Today’s globally connected enterprises require information services that are:

• Available,
• Easy to use,
• Reliable/robust,
• Globally networked,
• Agile/adaptable to changes in business operations,
• Manageable and
• Cost-effective.

These information services are also viewed by a broad range of stakeholders as safe, secure and compliant to applicable regulations and audit practices.

Accomplishing a widely held consensus of safety, security and compliance requires a governance team and process that represent the viewpoints of all the business stakeholders and that involve and reconcile the often competing and conflicting objectives from each community of interest to arrive at appropriate solutions. The stakeholders from the IT technology side - security architects, IT technologists, user interface designers - need to work more closely now than ever before with corporate legal counsel, corporate policy-makers, risk management decision-makers, auditors and business managers throughout the systems development lifecycle. They also need to include requirements from outside the enterprise that may conflict with immediate enterprise business objectives, including those driven by public interest groups and government, because these communities are developing new standards of performance and regulations that place controls on information and the acceptable use of information systems.

In short, good information-centric security governance requires resolving tensions between competing public sector, business sector and consumer interests, which can be defined as the following:

• Public-sector interests are those that governments hold and are manifested in law, regulation and enforcement. Example interests include public safety, national security, critical infrastructure protection, macroeconomic financial risk management and consumer protection.
• Business-sector interests generally balance risk and reward with the objective to achieve optimal shareholder financial results. Wherever possible, risk is minimized for optimal return. To the business sector, information security is an economic risk management problem to be managed in favor of business objectives.
• Consumer interests center on the unintended consequences and assumed risks of the use and misuse of consumer information. Consumers have expressed interests in their controlling the use of information about them by both the business and public sectors. Government can assist the consumer through legislation and regulation.

While functional responsibilities and organizations will likely persist in any medium to large enterprise, resolving these tensions requires improvements in a cross-functional collaboration to develop a dynamic, process-oriented, information-centric security governance framework that ensures the right business decisions are made to arrive at the best solutions for that enterprise.

The Open Group’s Security Forum and the American Bar Association’s Cyberspace Law Committee are pioneers in this necessary cross-profession collaboration, in analyzing and recommending improvement to current, perimeter-based and proprietary-based enterprise-level information security practices. The groups are proposing a new framework for effective information-centric security, starting with the desire to control information flow inside and beyond the border of the business.

Information-Centric Security Starts with Control

Previous work of The Open Group’s Security Forum and the Cyberspace Law Committee has already recognized that the “control” of intangible electronic assets - i.e., information - is a functional equivalent for “possession” of physical assets in the physical world.1, 2 By extending the example of this work here, information-centric security becomes a question of maintaining the equivalency of ownership through control over information assets wherever they are. To this end, four key principles of control emerge:

• Information now is a “controlled substance.” Just like other controlled substances in the real world, information can be used responsibly and destructively, making information and its stores both assets and liabilities. The state expresses its interest in information control through use regulation and public disclosure in cases of loss of control.
• Control is a people, process and technology problem. Technology alone cannot control information. People must take responsibility for the information entrusted to them by adequately safeguarding it through appropriate administrative and technical control processes.
• Information can only be controlled within a perimeter - what The Open Group refers to as “the control environment.” Unless the information carries with it protection mechanisms that can enforce or extend control over its access and usage, once information leaves the controlled environment, its owner has lost control of it.
• Control at a distance is difficult. Controlling information within a managed application or firewall perimeter is hard enough. Extending that control beyond the enterprise is very hard but necessary to enable the global extended enterprise to share its sensitive information assets at an acceptable level of risk with its customers, suppliers, business partners and outsourced service providers. Control beyond the enterprise is accomplished through the establishment of and compliance with legal agreements between information-sharing parties, verifiable administrative, technical and physical control practices and standards that set expectations for control.