For the past 20 years, Information Security has had one constant: change. Today, I receive my data electronically over a secure network, and have it stored in an encrypted manner as the default. I don't have to be concerned about throwing data away, as storage isn't so much a physical issue as a technological one. In days of old, “Information Security and Confidentiality” were viewed through a governmental optic. The focus was on physical access to where the data was located, and if networks existed, they were physically closed. The truly important data was cryptographically protected. All of this changed with some tangential technological arrivals, such as digitalization, and, of course, the infamous “packet.” But, I get ahead of myself.
Before we go forward, let's go back. Samuel Morse invented his infamous code about 160 years ago, and this is where I peg the beginning of the electronic advance in information security. While none of us were alive then, the activity of passing dots and dashes from one point to another has been well memorialized. And in some instances, information security was a requirement – be it to protect the payroll or troop movements.
Privacy and confidentiality were assured through the use of alphabetic text ciphers. One of the most common and effective was the Vigenère cipher, which provided information security to the content of the transmission; but did not address availability. Technological advances quickly followed with the arrival of the manual typewriter, aka the “Mill,” which morphed into the Teletype. The computer arrived about that same time, and within twenty years we had the desktop (TRS-80, all 8k of it!). These were heading times, as the fax, acoustic couplers, and dial-up allowed the expansion of our reach. The Network Administrator became a new career path, as the packet needed to be controlled, routed, and monitored. Shortly thereafter, "Chief Security Officer" and "Chief Information Security Officer" arrived as executive responsibilities. Different models evolved – some based solely on doing what is mandated by policy, compliance requirements or law, while others took the approach of consistent improvement, shaped around preferred practices.
As the global economies moved sharply forward, and the world went flat (thank you Thomas Friedman), outsourcing and reducing ownership of manufacturing was pushed to suppliers. This reduced on-hand inventories, while increasing cost-savings. Tangential effects of the expanded supply chain were unseen, where partners were tethered, seemingly at the hip. The extranet was born. The footsteps you heard racing down the hallways of every corporation were the corporate security teams running to catch-up, as integration of security had not yet occurred.
Then, we arrived to where we are today, where I'm part of the “always-on” demographic. I have my laptop, router, broadband DSL and cable (business continuity requires an alt-route for broadband service), wireless, VPN, smartphone, webcam, Flip-video-camera, 10 megapixel digital camera, iTouch and collaboration software (WebEx). Whew! These are my implements, the equivalent of those used by the farmer to maintain the fields and bring home the crop. They allow me to be everywhere, to engage everyone, and not have to set foot outside of my home office. These are the tools I use with and for my work. They allow all of my information to follow me wherever I go, and I use all of them every day.
Even when unconnected, I have access at this very instant to more data than my grandparents consumed in their lifetime; a humbling notion. When I am connected, I have access to more than I can consume in my lifetime; disconcerting. So, what are companies to do? The “cloud” is here – distributed services, leveraging any device (see the array supra), virtualization and communications and collaboration tools, methods and infrastructure. Network security moves from a border bounded to a borderless environment, and content is accessible and available for shaping and reshaping. As the complexity factor increases, requirements for security architects will be paramount. As more services are provided by partners accessing them via the extranet, the need for identity management, the ability to attest to the authenticity of the data, and the security of the environment will be a challenge.
The policies surrounding the rules of engagement will be as important as any keystone has been to an arch, without such, the arch will fail. This is where technology, coupled with enabling policies, will be the differentiator. Information security needs will not only encompass your own enterprise, but those of your partners, as these partners not only touch your data, but also your customer's data. Thus Service Level Agreements will be the norm of the day, and availability and accessibility will each require “five-nines” level of service.
As the adage goes, may you live in interesting times. While a blessing or a curse, change is the constant and will be such for many years to come.