Tuesday, September 11, 2012

It's the data, Stupid!

One of the things that I try to bring to the table is historical perspective.    I argue for the importance of history, that if we do not know where we cane from, we cannot appreciate where we are, much less where we are going. I have been here longer than the average bear.  I can see things across time that are difficult to appreciate at a point in time.  

When I was selling computers for IBM and for almost a generation, we matched the scale of the computer to that of the enterprise.  Each enterprise had one computer, the most powerful that it could afford.  Chief executive officers did not have the discretion to buy a computer.  It was an economic decision for the enterprise comparable to that of building a new plant or committing to a new product.  It was a board level decision. While the CEO could say "no," he could not unilaterally say "yes."

As the scale of the technology has changed, as its price has fallen and its efficiency has exploded, the decision making has moved.  

By the time that the "minicomputer" came on the market, the decision had fallen to the level of the department.  We did not consciously make a decision to do that.  It was simply a reflection of the scale, price, and efficiency.  However, until very recently, most computers used in the enterprise were still purchased, owned, and managed, not to say controlled,  by the enterprise.

Recently we passed a tipping point;  most computers are now purchased, owned, and to the extent that they are. managed, by individuals, by consumers.  We buy them at Wal-Mart and Costco, next to groceries, diapers, paper towels, and bottled water.  Because they are so cheap and so powerful, they are used for things that we could not have imagined as recently as a decade ago.  

As I sit here, there are seven computers within 5 feet of me and nine screens within 9 feet.  They are all connected and interoperable. Moreover, to a first order approximation, they are connected to, and will inter-operate with, any and every computer in the world.  These do not count the application-only computers like my cable box, Sling-box, and "Smart-TV;"  they all "boot" so I assume that they are "computers."  

As I sit here, I am waiting for one great niece to decide between a Kindle Fire and an iPad and am replacing an iPhone for another who dropped her's in the toilet at the mall.  The discretion, the decision making power, has now fallen to the children.  Remember?  The decision is made one level below the guy who signs the order, the check or the credit card?  I only pay, the kids decide.  Their decisions impact the enterprise and the infrastructure, those things that you and I are expected to control and protect. 

Infants use computers.  I choose the term "use" advisedly.  They use them for their "work," at their age indistinguishable from "play," learning to master their environment.  They project the capability of one computer as requirements on another.  They "swipe" across TV screens and even magazine pages.  Seven year-olds write critical reviews of applications, and teen-agers know more about computers than the information technology elites of a generation ago.  Different things perhaps, but more.  

There are some things that are beneath their level of notice.  For the most part they are agnostic as to where an application runs and its data is stored.  They are oblivious as to what we used to call "speeds and feeds."  

It is almost impossible to remember that the first iPhone came out only five years ago and that about all it could do was phone calls, do e-mail, and browse.  Oops, I forgot; play music.  Apple and Google now have a couple of major announcements and ship dates a year.  Just to keep up! Teens track the features in new versions of iOS the way my generation tracked new car models.  By the time that YOU have figured out the security implications of one new product, another has shipped.  

I remember when I had to keep a list of e-mail gateways and use embedded addresses to get from one domain to another.  No longer; the address space has flattened.  Now I keep a list, shorter, but still a list, of application proxies to get me around fire-walls and other security restrictions.  When the Naval Postgraduate School blocked my access to AOL Instant Messenger, two students quietly gave me the addresses of two different proxies.  Proxies now come plug-n-play-in-a-box or simply run as servers in the Internet.

One niece and nephew go to a very traditional school, elite, but so traditional that they are still expected to carry fifty pounds of paper in and out of school everyday.  They can take their iPhones, but cannot use them, and iPads and MacBooks must still be left at home.  So, they use Dropbox, Evernote, and thumb-drives.  No matter what controls or road-blocks we throw in their way, they will get around them.     

The good news is that there are only two popular operating systems for the most popular consumer products, right?  iOS and Android?  All you have to know about, right?  The bad news is that there are dozens of versions of Android, all different, most open.   There is more bad news.

RIM has not gone away.  Windows Mobile has hardly gotten here.   Playstations and X-Boxes are becoming richer and more open.  Even Play Station Portables and DS Lites are being opened some.  Proxies and servers are popping up everywhere to expand their capabilities even further.  

As I write this on Evernote, I am using the Window's Evernote Client on my  Dell, but I am using the screen and key-board on my MacBook Air.  In order to find the Windows system across the room, the MacBook goes to an addressability server in the Internet where the Dell has published its IP address and port, perhaps thousands of miles away, and then comes back to a computer five feet away.  
The devices at the the edge are becoming smaller, cheaper, more diverse, more powerful, at an exponential rate. Now it is not news that one can buy gigabytes on a chip the size of one's pinky nail for $1/gig or that one can buy a terra-byte to fit in one's shirt pocket for under $100-.  

All of this is by way of saying that you cannot prevent contamination and leakage at the edge.  You no longer own or control the edge.  You cannot even see it.  It has been a battle since the edge began to include PCs but it is now clearly a lost cause.  It has probably been the wrong strategy all along.  

Focus on the data.  You do not control the edge but you do control the center.  

Know which data you want to protect.  The books of account, intellectual property, personally identifiable data.  You cannot protect all your data to the level that is required by these.

Prefer closed systems for this sensitive data.  Think AS/400 and Lotus Notes but you can close any system.  

Prefer object-oriented formats and databases to flat files for all sensitive data.  This should include document management systems.  The common practice of storing documents as file system objects is not appropriate for sensitive documents.  

Control access as close to the data source as possible.  

Prefer application-only access.  Prefer purpose-built application clients; think "apps." 
Prefer end-to-end encryption,that is edge device to application, not to the network, not to an operating system.  Remember that what appears to you to be the edge device may be a proxy for the real edge device.  

Prefer strong authentication for sensitive data; consider the edge device identity, for example, EIN or MAC address, as one form of evidence. Consider out-of-band to the user to resist replay.  

Meter the data rate at the source, not the edge; prefer one record or page at a time.  

Provide a high level of service.  You can make any control or restriction at least tolerable provided that you couch it in a sufficiently high level of service.  Remember that most leakage is of gratuitous copies.  These trade off cheap local storage against expensive bandwidth and high network latency.  The faster you can deliver data from the source, the fewer copies will be made at the edge.  

Now I am not in the business of recommending products here.  However, if you want to make the above easy, get Lotus Notes.  I can mention it because it has no competition.  

These measures are probably too expensive for the least sensitive data in the enterprise.  However, they are mandatory for the most sensitive data. It is for drawing the line that we are called professionals and paid the big bucks.