Information centric security

Information centric security emphasizes the security of the information itself rather than the security of networks, systems or applications. The focus is on providing the right security for information; your information, my information; not the network, not the system.

It allows selective identification of the most valuable information and the provision of security controls that address the risks to that information throughout its lifecycle. This model allows greater efficiency and effectiveness by providing security where it is needed rather than a blanket approach across an entire organisation/network, which can be expensive and ultimately ineffective.

To achieve this four principles must be maintained (developed by Rich Mogull):

Information (data) must be self describing and defending.
Policies and controls must account for the business context.
Information must be protected as it moves from structured to unstructured, in and out of applications, and changing business contexts.
Policies must work consistently through the different defensive layers and technologies we implement.
Importantly, the information (data) being self-describing means that its associated metadata must include indicators of the value (or classification) of the information, any handling or control requirements (minimum protections for Confidentiality, Integrity, Availability). Metadata is crucial to the successful operation of an information centric security model.

Other security models are network or system based –which is fine for that particular system – but information moves between systems, and not all systems provide the same protections.

More to come on the information centric model, keep an eye on our Blog…