Being Eaten

by Brian Katz on April 10, 2013 · 2 comments

After yesterday’s blog post on Eating Elephants, Alessandro Festa rightly pointed out that although we seem to have secured the data, we haven’t solved his refrigerator dilemma. To put it quite simply, the dilemma is represented by the fact that two people buy almost identical salads although one has nuts in it. They come in similar containers but, even though the fridge is secure, when one of the them reaches into the fridge to grab their salad, they have a 50% chance of grabbing the wrong one. Alessandro was using this dilemma to point out why we need more than categorization and governance we also need to classify the data. It’s quite easy to get caught up in the similarities of classification versus categorization as he defines it, but he’s making it to difficult.

elephant-kissIn one sense, Alessandro is right. If all we are doing is securing the data from outsiders, categorization does a great job. You have defined 2 buckets for your data, one being company owned, the data that you want to protect and the other being everything else. You encrypt all that data and now only those people who have keys to unencrypt the data can use it regardless of where it is. The good news is that you have protected your data from everyone outside your company but, as Alessandro has noted, you still have some work to do.

This is where Alessandro and I diverge a little bit. I will give him the benefit of the doubt as his first language is Italian, but I think the missing piece of the puzzle has nothing to do with classification of the data. You are certainly welcome to divide your company data bucket into a set of smaller buckets, each which add some policy to the data, but that doesn’t effect security of the data per se. It can limit the risk of the data being exposed, one bucket, for example, could be highly confidential data that can only be viewed on campus. This is a rule set around the data but doesn’t change the encryption state of the data itself.

The piece that is missing is the one of identity and access management (IDAM). When you create and manipulate data, one of the first things you do is you permission the data itself. It carries a set of access rights that relate to the identities of the individuals who can view/manipulate that data and, of course, who cannot. Those rights may be broken up into different roles, view only, view and edit etc. These access rights are essentially the other piece of the policy that is part of the data.

What’s interesting when you look at data in the enterprise is that almost everyone does identity based access management around their data but very few spend much time around classification of the data. When they sit down to do that classification, access management invariably becomes part of the conversation even though they have already spent the time and effort figuring it out. It becomes a great rabbit hole for them to try and get through and only serves to extend the problem that they didn’t realize they didn’t have.

So let’s take a look at ABC Inc. that has decided to set up a system that uses only 2 categories for its data and how it would work (this is a gross over-simplification). They start by finding a system that will allow them to encrypt all their data that they have stored. They set up an identity system that allows them to issue a certificate to each user per device. If a user has a laptop and a tablet, they will receive a certificate on both. The certificate should hopefully have the device type as part of it (this allows more policy based actions on the data). This certificate, combined with a private key that is given out to each employee, is used in the identity management system (which could be 2 factor if so desired) to vouch for the user’s identity and allow them to access data they have permission to see based upon having the the appropriate role. The user can then download the data to their device or access it through an app that allows them to use the data. The data, stays encrypted while it transits to the device and can only be unencrypted using the key that the user has.

The fact that we use the access management data that we have already created solves Alessandro’s refrigerator dilemma quite easily. When his two roommates purchased their almost identical salads, their names were placed on them. Essentially it was locked with a key that only that user had as that was how the IDAM system was set up. Each roommate only chose their own salad because that’s what they were limited to.

The enterprise spends too much time trying to create perfect systems and figuring out how they are going to consume the elephant all at once, not realizing that they make it so difficult, the elephant turns around and starts to consume them.

{ 2 comments… read them below or add one }

Guest April 10, 2013 at 10:46 am

I’m a big fan of keeping it simple too. The corporate/non-corporate is a good starting point, because:

1) Most people already had a work/personal split even before our lives went digital, so it’s intuitive to continue classifying data in that way. Especially today, any system that’s not intuitive to employees is almost certain to fail.

And 2) The work/personal split will continue to function as our lives become even more digital. It will go beyond just documents to include networks of contacts, our own internets of things, virtual places…wherever technology adds more to our digital identities, it’ll fracture nicely into corporate/non-corporate.

Reply

Mike Battista April 10, 2013 at 10:49 am

I’m a big fan of keeping it simple too. The corporate/non-corporate is a good starting point, because:

1) Most people already had a work/personal split even before our lives went digital, so it’s intuitive to continue classifying data in that way. Especially today, any system that’s not intuitive to employees is almost certain to fail.

And 2) The work/personal split will continue to function as our lives become even more digital. It will go beyond just documents to include networks of contacts, our own internets of things, virtual places…wherever technology adds more to our digital identities, it’ll fracture nicely into corporate/non-corporate.

[Oops, sorry if this comment posts twice]

Reply

Leave a Comment

Previous post:

Next post: