We have been discussing products that help manage access to data over some of our past Group Tests and this month we’re back at it. This time we are looking at preventing data from leaving our environments without knowledge or permission and allowing access to superuser passwords by multiple users. We’ll start with the latter.
This month’s password management products generally are standalone applications that allow various permutations of what I refer to as password carving. Password carving allows a superuser password to be subdivided into multiple subgroups. Of course, there are other passwords besides superuser passwords, but the principles are the same. This month’s products use various techniques but, overall, they achieve the same goals. A couple of notable exceptions are user products that act a bit like single sign-on applications.
The other side of this month’s reviews is keeping your business your business. Products in the data leakage prevention category (sometimes referred to as extrusion prevention), keep sensitive data from leaving the network. Today’s data leakage products address a wide variety of leakage vectors – from bots to USB thumb drives. The objective is the same: data that should not leave the enterprise cannot be permitted to do so, whether through sophisticated malware or unsophisticated physical theft (USB, CD, etc.).
One of the important issues with which we must deal is access to data. Over the past several months, we have looked at access control and its various subcomponents, as well as encryption and methods of keeping unauthorized users out of the network completely. One point that has become glaringly obvious is that as the enterprise becomes more complicated – and the perimeter becomes fuzzier – protecting data becomes more difficult.
One prevailing theory – and one that is not new – is that there is no such thing as computer or network security. Every effort should be made to secure the data itself, whether it is at rest, in motion, or in use. In fact, there have been those who have espoused the notion that there is no need to protect the network or its devices at all. All one needs to do is encrypt everything.
That is a pretty radical approach and, today anyway, it simply won’t work. However, there are some merits to that train of thinking. One of the major drawbacks is the need to protect every device from denial of service. Although the data may well be secured, killing the mechanism by which users access it is a major problem.
There is a solution. However, while it includes such protections as encryption and data leakage prevention, it is far more complicated to implement. This approach is called artificial immunity and there is substantive research going on at the moment that may lead to the ability for an enterprise to be treated as a living organism, protecting itself from attacks of all types with the devices on it simply playing the role of the organs of the entity.
While this is a hard task to complete, it also is a potential solution to a very hard problem set: large enterprises with ill-defined boundaries; determined, skilled attackers; and an ever-escalating suite of vulnerabilities in applications and operating environments. The main question is, “Is this even practical?” Early experiments suggest that it is, and we may even begin to see early artificial immune systems as upgrades to traditional anti-malware products.
Anti-malware is an ideal starting point for three reasons. First, the malware/virus paradigm fits the biological model of an attacker. Second, signature-based scanning is becoming less and less practical as signature files grow in size exponentially. Finally, anomaly detection has a very long way to go before it is immune from false indications, both positives and negatives.
So, how does this futurist view impact this month’s reviews? The key point is that we are focusing, as we have been increasingly, on the data itself. Protect the data and you protect the most important part of the enterprise: the reason it exists.