EIP: My Personal Journey from Infrastructure to Data Centric Security
Posted on Tue, May 25, 2010 @ 08:50 AM
"The roots of education are bitter, but the fruit is sweet."
~Aristotle
During my previous job as an engineering and IT manager at a Cambridge biotech company, we caught three senior scientists who were planning to take $100M worth of information. The company was involved in pre-clinical drug research for big pharmaceutical clients, and on one day, three different researchers ordered CD-ROM burners and hundreds of blank CDs, each within about 15 minutes of each other. The orders came through my head of IT, who had the presence of mind to ask, "What do you need the storage for?"
Astonishingly, they admitted that they were planning to start a new company and planned to use some of "their work" to get going.
Things rapidly became uncomfortable as it dawned on them that taking data from the company was likely not something senior management would view enthusiastically. They left without the CDs -- an administrative action. What became clear to me was that these employees would not have stolen a chair, but were going to walk out the door with the strategic assets of the company, without giving it a thought. The information represented more than $100M of value, yet, they seemed to understand neither the value of the information nor their obligation to the company and its customer data - even though they signed the appropriate usage policies. Usage policies are signed on employment or as part of an occasional awareness program, but are usually forgotten, left to gather dust in a bottom drawer of a filing cabinet under a desk.
We searched for solutions and spoke with numerous customers, knowing everyone was worrying about IP protection and information theft. Yet, no one had a positive answer to two simple questions:
- What happened with my data?
- Can I implement efficient control of my data regardless of usage?
From my exceptional tech group, both answers came back the same - no.
After months of fruitless searching, we came to the conclusion that we were not alone and that it would be worthwhile to address the challenge of protecting information.
Verdasys' growth has coincided with rising data loss, data breach, and outright data theft from common criminals to
foreign nations. Our market lies in the shift in demand from protecting physical assets of computing and IT infrastructure to the strategic protection of valuable data for corporations and global organizations.
One need only witness breaches like the HSBC situation and countless others to understand that the approach of locking down successive layers of infrastructure and a reliance on access control (log in) not only trivialize the challenge of information protection, but also limit the mobility and productivity that businesses have come to demand over the past 10 years. Combined with the drive to lower cost in flexible infrastructure, there is a need for a different approach centered around data that enables companies to govern information without changing the way they do business or run their operations. The happy truth is - there is a strategy that's effective, cost effective and enabling - EIP. What does a data-centric approach to information security have over the typical infrastructure-centric model? Simply put, if we do not focus on data --what it is, how it's being used, and who is using it - we are condemned to repeat the past. Nothing says fail quite like 75,000 compromised computers. Next up: Enterprise Information Protection: What is it, who's doing it successfully -- and how?
- Seth Birnbaum