I’ve worked in Security for many years, specialising in Network and Data Security, largely by chance, following my interests and the market in equal measure. I started with authentication tokens and SSL acceleration devices back in the early 2000s, the latter market mutated into key and certificate management, encryption of various types hanging off these monolithic management devices. Some of the SSL accelerators turned into load balancers and proxies, even SSL VPNs. It was a technology that spawned a number of others. In 2009, I prophesised that encryption was finally going to make a difference. I knew that data security was important, but I could not have predicted exactly how important that statement would be. I was roundly criticised for my stance at the time, and possibly this was right considering the timescales, but I now feel a little vindicated, if not prescient.
Of course now Cloud is becoming prevalent, encryption is more important than ever to protect customer data in transit and storage away from its source. Key and Certificate Management is coming to a point where it is usable and necessary, and the threats are very clear. As the adoption of Cloud technologies increases exponentially, consumers are finding there is a greater requirement for encryption and key management technology. Their data is no longer in their control for processing and storage, international agencies are spying on “everyone” it seems, and breaches are happening on a regular basis. Google’s Eric Schmidt recently advised that the way to end state sponsored spying was to “encrypt everything”.
I am currently writing a Leadership Compass to compare the vendors in this field, and have just completed an Advisory Note which explains what to look for in an Enterprise Key and Certificate Management (EKCM) solution, not to mention why you should be looking for one in the first place. EKCM can be used for a multitude of encryption and authentication tasks, certificates for email, SSL, keys for tape, database and laptop to name but a few. An investment in EKCM now seems to be a sensible choice, as Cloud is here to stay. As EKCM increases in scope, I can’t help think that businesses will find there are limitations in the reach of current technologies, and will look for ways to extend this to their end-user clients at greater scale without losing them control of their security environments. Imagine for a moment a global Telecoms company that could manage keys or certificates for all of its users, authenticate or encrypt for them on demand, to any other user or business in the world. It would take a lot of co-operation, and a lot of infrastructure, but the technology and ability to do this exists today, it’s just a matter of putting it together. Maybe I’m getting ahead of myself again…
The traditional corporate perimeter is starting to disappear as Cloud adoption increases, enabling a yet more dispersed workforce and client-base. We are already discussing new perimeters around information, requiring classification and asset tagging. We are seeing the rise of technologies that focus on tagging data to protect itself, so-called “Smart Data”, and creating virtual environments/perimeters that data cannot move outside. The next issue is how to keep this data protected once it leaves the corporate/controlled environment and spills out into the Internet.
The rise of Big Data continues to create its own security solutions and issues of course. As more and more Big Data solutions are created to process data at scale, the metadata being produced is of more value than the original data store. This data needs to be protected at source. I am beginning to see security solutions which rely on processing of logs on global scales, which will need to be implemented similarly to the key management technologies above. This will create further concerns about where this processed data is being stored and who has visibility, not just the service providers, but national and international intelligence agencies.
This is the direction that business is moving in however, and as security professionals we have to deal with the issues this creates. We are already seeing Cloud adoption accelerating, boundaries disappearing; huge amounts of data are being created, shared and managed over vast distances. Businesses can no longer rely on their data being hidden away in datacentres, as the edges of those datacentres are now porous, geographically dispersed and constantly shared. Effectively, the Internet is becoming a giant data store, the only way to differentiate the sensitivity of data is by encrypting or not. On the other side of this, there are very real opportunities here for communications and technology companies working on large scales to create a more “private” Internet over existing infrastructure, effectively making the world their datacentre and applying the required protection where it is needed, with the data, not with the walls.