Dan Geer
Dan Geer

Sometimes a word is so overused that it loses its native punch. Such a word is paradigm: It means an example so central that it becomes the standard, the default. From the late 1 advent of the client-server model in the 1980s until now, the paradigm for digital information has been to invest in network and infrastructure security – the former to protect information during transit across suspect terrain, and the latter to keep the plumbing working in every sense. To everything there is a season, a time to be born and a time to die. For the paradigm of information protection via network and infrastructure security, the time to be laid to rest is now.

The central tenet of the theory of evolution is that the changes which determine fitness are responses to threats imposed on the organism from the outside, that survival pressure forces change, but that only some changes aid survival. The threats are threats because they are new. Technically, the appearance of a new survival threat is known as a punctuated equilibrium. All of us in the security field owe our jobs to one of these equilibrium punctuations: the sudden exposure of all computers to widely interconnected networks (the near simultaneous arrival of the first browser and the first network stack in Windows).

This is not an article, however, on the evolutionary process in the digital sphere. It is, instead, an article about what we hope is obvious: Somewhere between 2005 and now, protecting the network and the infrastructure ceased to be the central organizing principle. Data is where the value is now, network security has no answer to endpoint compromise and infrastructure is so cheap that anyone can afford reliability through redundancy. Nothing is so crisp as to be that binary. But ask yourself: If a laptop is stolen, do you cry for its purchase price or for the data it contains? If a network goes down, do you get sympathy from the customer whose data is marooned or calumny for failing to provide fallback infrastructure? Verizon's Data Breach Report contains a single number more important than all others: three quarters of all data losses are discovered by unrelated third parties, from which one can inevitably infer that the victim's network and infrastructure security regimes were neither effective nor relevant.

The equilibrium punctuation, the paradigm shift that is already here, is that data is now king. Yes, Moore's Law still holds — every 18 months a dollar buys twice what it did before — but a dollar buys twice as much storage about every 12 months, and back in the lab they are doubling bandwidth about every nine. Every decade, that is two orders of magnitude for computing, three for storage and four for bandwidth. The future of computing is, thus, all about data in motion. Data's value and risk overtook the value and risk of networks and infrastructure; data punctuated the equilibrium of security management. To retain the former paradigm is to fail to evolve, and failing to evolve is a dead end.

The fraction of total corporate wealth that is data is rising, as can be seen either qualitatively or quantitatively. Qualitatively, much of the world's combined GDP is information crystallized into physical products that could not be designed, manufactured, delivered or maintained without the movement of data. Quantitatively, the Dow Jones Industrial Average ascends at about 1/7 of one percent per week, while data volume is ascending closer to one full percent per week. The fraction of total corporate wealth that is data is rising.

If network and infrastructure security are trending to insufficient at a time when the percentage of wealth that is data is rising, then a paradigm shift has to happen. We say that the paradigm shift is this: henceforth, center your security investment and your security process around data, not around networks and not around infrastructure. We suggest that this paradigm be called enterprise information protection (EIP). We say “enterprise,” in that, for most firms, data is literally who they are; “information,” in that while we have said data, we have meant information because this data has future value; and “protection” because protecting value is the first responsibility of boards and officers.

Much has been made of how the networked world, call it the internet if you like, has no boundaries. This is true to a first approximation, but no firm wants to have no boundaries. A firm has to have boundaries. In the physical world, boundaries are simple to demarcate: our land stops here, or, these are our trucks, or that container is raw materials not yet used. In the digital world, we do not have to tell you that such simplicity is not available. Nevertheless, if you accept our argument that data with value, that is to say, information, is an enterprise asset that carries a duty of protection from the top of the firm down, then let us suggest that the perimeter of the firm is exactly defined by the reach of its data security regime. Let us repeat that, in a data-centric world, information that is not under the control of the firm is not inside the firm, it is outside. This is an operational definition, not a legal one, but the operational is what matters before loss, while the legal one only matters after things have gone badly.

EIP unifies data leakage prevention (DLP), network access control (NAC), encryption policy and enforcement, audit and forensics and all the other wayward infrastructure technologies, achieving something rare in the security world: simplicity in management and a reduction in net complexity. No, EIP is not a mission much less a mission statement, but it is the organizing precept. EIP is to a firm as democracy is to a state. The details matter, but the details orbit the precept. The details operationalize the guiding idea.

Because information is non-physical, its reality is not the reality of the physical world. In the physical world, if the car thief has your automobile it is certain that you do not have it. In the digital world, the data thief can have your information, yet you still do, too. In the physical world, good police work and a bit of luck can get you back to where you started (with your car again parked in your driveway). In the digital world, there will never be a day when you can prove that data you lost has been destroyed everywhere it might have gone. In the physical world, nothing moves so fast that it cannot be tracked. In the digital world, the speed of light will always be faster than you are.

We have spent centuries learning about securing the physical world, plus a few years learning about securing the digital world. What we know to be common to both is this: That which cannot be tolerated must be prevented. The non-observability and irreversibility of information theft make it intolerable, and so prevention is our only option. At the same time, what we know from history is that when an opponent can strike from a distance without warning or danger to himself, that prevention means pre-emption. As the intelligence community would say, pre-emption requires intelligence and intelligence requires surveillance. Put differently, EIP works best when it is taken that seriously.

For us in the commercial sphere, the last policy question to ask is “What is the unit of surveillance? Is it a person or is it a datum?” For our money, the answer is to surveil data; data, which is to say, information, is where the value is and data, which is to say, information, is where the firm's duty lays, both collectively as a firm and individually in the case of the board and officers. Having the person as your unit of surveillance is unsafe as a day-to-day, non-emergency practice. Save that for probable cause.

The EIP mechanism — an unblinking eye focused on information — has to live where the data lives. It has to live at that precise spot where data changes from "at rest" to "in motion," for all such spots. If it lives anywhere else, such as only on the network perimeters or only in and around database systems, data-handling actions and data-transit pathways, unseen and undefined will exist across the enterprise forever. Unless the EIP mechanism is at that point where data-at-rest becomes data-in-motion, at the point of use where data is truly put at risk, you are gambling.

Building the technology behind an EIP regime is not easy and, like designing cryptographic algorithms, is not a profitable use of the firm's time – though it can make a fascinating hobby for someone with nothing else to do. We have also learned through our own experience that this technology must be built purposefully to solve the information protection challenge. Morphing adjacent regimes to this purpose continues to be ineffective. Rather, effective EIP mechanisms are and will remain few and far between.

An EIP regime is the new and necessary paradigm for those willing to evolve in order to survive. It is, to the firm, what a conscience is to an individual — that second brain that watches the first with the power to detect bad choices and to act on what it sees. We do not expect perfection in applying EIP any more than we expect perfection of the conscience, but we know what it takes and the goal is worth it.

One might say, “'We will get to that tomorrow,” but, as the casual reader of the newspaper knows, events come faster than one expects. Good ideas and bad experiences share the same thought: “Why didn't I think of that sooner?” If we are right about EIP, then it will separate winners from losers. The decision to switch paradigms from whatever you are doing to EIP can either be too early or too late. It is never possible to tell if you are too early, but it always possible to tell if you were too late. Do not be too late. Make the decision while it is still relevant.