Eating Elephants

by Brian Katz on April 9, 2013 · 2 comments

I had a fun twitter conversation this morning that got a little bit heated, which is bound to happen when you mix security, identity and mobile along with an American, a Canadian, and an Italian. Alessandro Festa, the aforementioned Italian, wrote a very interesting blog post last night, another in his series of Bring Your Own Identity posts. The basics (and please go read the original post) of his post talked about keeping information secure, and how governance coming first can get in the way, while classification was the easiest way out of this mess. I disagreed with the central premise of Alessandro’s post, not because I don’t think classification needs to be done, but rather, it needs to be done differently.

howtoeatanelephant2Classification data is very important and should be happening at all companies. It is an important part of ILM (Information Lifecycle Management), although the problem is that ILM is rarely practiced very well at most companies. The issue with classification and therefore ILM, is that it’s really difficult to do in practice. Most organizations, when they decide that they should institute an ILM program, spend the majority of their time coming up with the classifications of their data. To Alessandro point, they start with governance. They set up different committees to look at the data that they have and work up how to classify the data into different categories. This can take anywhere from 6 months to two years worth of work and by the time they finish, they may have over a hundred different buckets for which you can file your data in.

Chances are, the organization has already picked a tool to help them classify the data and maintain the buckets that they have painstakingly decided upon. That is the easiest part. They now have to spend their time, money, and a lot of effort to train all their employees on how the categories should be applied to each piece of data. They then have to train them on the tool. This can be as long as a three-year process before any data actually gets put into any buckets, this is a lifetime for most organizations and they are probably moving on to the next program at this point.

Remind me how this helps me to secure my data again? How does it keep me from exposing it to anyone who has the time when I store it in Dropbox or Box? It doesn’t, which is why I favor a much more simplistic approach. Start with only two buckets of data. The first bucket is all corporate data, regardless of importance or whatever other classifications you can think up and the second bucket is all non-corporate data. It doesn’t get much simpler than this. Once you have your bucket of corporate data, you figure out how to secure it. I would recommend encrypting it all. If it’s all encrypted, it doesn’t matter where a user moves it. If someone gets into their publicly shared folder, all they are going to see is encrypted data, it’s useless without the key. You build those keys into the apps or platforms that a user is going to use (would help if they were identity based too) and then they can work with the data when and where they need to.

Paul Madsen, the grumpy Canadian, piped up in the middle of our conversation and sided with Alessandro and further stated that if you only had two categories, you most certainly weren’t doing MIM (Mobile Information Management) but MAM (Mobile Application Management). To be fair, this is all hard to get across in a series of 140 character twitter posts. I pointed out to Paul, that this is still MIM, security is around the data, and if policy were then added to that data, we would truly have MIM. I’ll leave the discussion to MIM to another post other than to say this can be a very workable solution.

The beauty of starting off with two buckets is, as Alessandro made the point in his post, you don’t need governance to get this far and you can start right away. This doesn’t mean that you stop once you have defined your two buckets. You start to break that corporate data bucket down into smaller buckets. One might be regulated data. Another might be on-campus only. You can continue to add buckets but your system is already in place and you have already secured your data. These new buckets just allow you to refine the systems and, in reality, create better APIs.

The goal for all enterprises should be to free their data. They need to build APIs around their data sets. These APIs should account for all the different buckets, take into account identity and access management (IDAM) but serve as a programmatic way to get at all the data. Developers and users write apps to the APIs, which is how they access the data. This preserves the security and policy around the data, which the APIs respect and help enforce.

The problem with most companies today, they try and crack the whole nut at once. There’s an old parable, “How do you eat an elephant? One bite at a time.” If companies spend to long trying to get everything perfect, it will be too late. Their employees will find a way around them so that they can use the data they need, when and where they need it, to get their job done. The only way to enable your employees and move forward is to take one step at a time. You can always decide whether you want to walk or run, but as long as you keep moving forward, it can be easy to secure all that data.

{ 2 comments… read them below or add one }

Björn Erikson August 14, 2014 at 6:22 am

I would like to use your cute elephant in a small Swedish publication.
Is that OK with you (who has the rights to the Picture)?

Best regards



Brian Katz August 15, 2014 at 1:32 am

I didn’t pick the picture so not sure of the usage rights


Leave a Comment

Previous post:

Next post: