Haven't updated the blog in a while. I was on a 10 day business trip to Israel. It was very productive, and I also had a ton of fun! But it got me behind on everything else.
So, back to the blog...
When we look at security, what we are looking at is mostly (some would say "entirely", but I will cover that later) about securing data. That's what people want. That's what is at risk. That's what costs a company or organization money when it is stolen. It also tends to make it in the news a lot. (Want some examples? Try here: http://search.live.com/results.aspx?q=laptop+stolen+data+site%3Awww.msnbc.msn.com)
There are two problems to solve when securing data. One is to secure it in storage. The other is to secure it in transit.
The question is: how and where do we secure the data? What I mean by this is...we have different places where the data can be secured. We can secure it at the network (such as a VPN, where the tunnel is secured, but the data between the hosts and the tunnel endpoints may or may not be secured). In fact, that's the most common thing done today. VPN and SSL are two things that immediately come to mind. We look at network solutions to secure the data. The problem is, that such a solution only applies to that specific scenario. It leaves other scenarios open.
Think of transferring data over SSL. It is encrypted in transit, but it is very likely not encrypted in storage. Either at the server or the client. If the server is compromised, the data is too. Once on a client machine, that data is even more vulnerable. Because now, people carry data everywhere. On laptops, USB drives, CD's, DVD's, phones, etc. See the link I provided earlier in this post for some examples of data being stolen from portable computing solutions.
So what is the answer? To secure the data itself. Always. So that regardless of the scenario, there is at least a base minimum of security for the storage and transit of the data.
I know the problem here: it is very hard to do. I am not claiming it is easy to do today, in 2006. What I am claiming is that it is, in principle, the right thing to do. If you can at least agree that it is in principle the right thing to do, then the next step is for us to work hard at making it more practical and manageable to do in the future.
In addition to securing the data by encrypting it always, I advocate having some form of DRM on data. This is another thing where people reading this right now are saying "No way! Too difficult. Too impractical. It would be unmanageable." And you are correct...now. But this is also a matter where we first decide if it is the right thing to do, and then go about making a solution for the future that is practical and supportable.
So this is what I advocate: all data should be encrypted, and should have some sort of DRM capabilities available. All scenarios. No exceptions. Keep in mind that I'm not saying "Go do this right now." I am saying that this is what I (and many others I work with) believe is the right thing to do, and are going to work hard towards this direction.
Before I leave this one, I wanted to point something out: notice that I am saying that if data is what you want to protect, then you should do so with the data itself. Not the network (by itself), or the transport (by itself) or the host (by itself), or the application (by itself). If you want to secure something, then secure it by working on the thing you want to secure. By bringing the security solution "closer" to what you want to secure, you get a solution that can move across multiple scenarios. I am going to talk more about that in a new post soon.