So thus far, we've talked about some background on the problems.  I want to take this and focus is a bit on the main big areas that security items fall into.

We've talked about:

  • You don't have a private network
  • The perimeter isn't what it used to be, because of the increasing mobility in the computer world
  • Inconsistent security standards
  • The need to protect data by protecting the data itself, instead of trying protect data by protecting the network, or even the hosts

What are the solutions in these areas?

  • You don't have a private network

Solution: End-to-end authentication and encryption

  • The perimeter isn't what it used to be, because of the increasing mobility in the computer world

Solution: Focus more on securing the hosts, instead of focusing so much on the network

  • Inconsistent security standards

Solution: Use host-based technology to apply the same security standards (such as 2-factor authentication; and health checking) the same in all scenarios

  • The need to protect data by protecting the data itself, instead of trying protect data by protecting the network, or even the hosts

Solution: Encryption and DRM on the data itself, instead of only trying to secure access to data that is open.

 

So all that is interesting, but not yet focused and meaningful.  So lets give it some focus and meaning.

When we look at the big problems we face today, we find that they fall into three areas:

  1. Identity
  2. Health
  3. Data

That's pretty much security in a nutshell: Who are you? (Identity)  What is the state of the machines in the communication? (Health)  What can you access, and what can you do with it? (Data)  Is the data secure in storage and secure in transit? (Data)

When we look at a security solution, or meeting security requirements in a scenario, we are looking at those three things: identity, health, data.

Before you think "Man, you left out A LOT of stuff!", keep in mind that #'s 2 and 3 are VERY broad and deep areas.  Identity, not so much.  It is a matter of authentication methods in which we have a high degree of confidence.  But health and data are huge areas to deal with.  For example, I had someone tell me that I have left "availability" off of the list.  But I would file that under health.  If a machine (or a network) is in such a state that it is not accessible, then I would say that there is a serious health problem there.  "Health" means a lot more than just having the latest patches.  Data is the same way.  "Data" doesn't mean just encrypting data in transmission and storage.  It also means access to the data.  Which covers a BIG area.

So, that's it: identity, health, data.  Enabling, enforcing, and validating those things is how we bring security to the world of computing.

Not only do we need to work on these, but we need to do so in a way that has the same high standards in all scenarios.  We can have no more of this approach where we try to secure one scenario, while turning a blind eye to the others.

The coming posts will talk more about these three areas.