tag:typepad.com,2003:weblog-1615770 2008-11-19T07:58:00-08:00 Information, Security, Compliance and associated confusion. TypePad tag:typepad.com,2003:post-58705628 2008-11-19T07:58:00-08:00 2008-11-19T07:58:00-08:00

It is a surprisingly simple question, but one that I am not accustomed to answering, and I think that I did a poor job in addressing. I basically pointed the guy back to the lifecycle and said "If it's new data, go through this process. If it is existing data, go through this process". Technically sound, but not very helpful. If you are working at a large firm with hundreds of legacy systems and data strewn all over the place, the challenges are far greater than that.

Adrian Lane tag:typepad.com,2003:post-55696800 2008-09-16T07:52:18-07:00 2008-09-16T07:52:18-07:00

**This is a cross-post from Securosis** I have a well publicized love-hate opinion of Digital Rights Management. DRM can solve some security problems but will fail outright if applied in other areas, most notably consumer media protection. I remain an...

Adrian Lane tag:typepad.com,2003:post-53038178 2008-07-21T19:00:00-07:00 2008-07-21T19:00:00-07:00

With Information Centric Security, you create a virtual container, wrapper or 'universe' for the data and the business rules. You no longer care if some of the infrastructure has been compromised as you may still be able to keep data secure even if it has been copied or vMotion'ed off to some other place outside your control.

Adrian Lane tag:typepad.com,2003:post-52160916 2008-07-02T07:36:48-07:00 2008-07-02T07:36:48-07:00

Or more appropriately, "Why are we talking about ADMP?" In his first post on the future of application and database security, Rich talked about Forces and Assumptions heading us down an evolutionary path towards ADMP. I want to offer a slightly different take on my motivation, or belief, in this strategy.

Adrian Lane tag:typepad.com,2003:post-51223334 2008-06-11T21:48:16-07:00 2008-06-11T21:48:16-07:00

Believe it or not, I'm going to work with Rich Mogull at Securosis. Worst yet, I'm excited about it!

Adrian Lane tag:typepad.com,2003:post-50859500 2008-06-05T07:44:18-07:00 2008-06-05T07:44:18-07:00

DEMIDS is an early paper on how to detect errant use of a database. As an overview, the paper describes a system where misuse is ‘detected’ by the use of a distance function. It attributes a set of tables or database functions as the normal domain of a user, and everything that the user accesses outside of that specified domain has some distance factor associated with it. Tables in other schema’s are viewed as being a certain distance outside of that domain, and tables in different database further still. The further away a resource is, the more likely there is misuse. It is a basic assumption that the users are sufficiently privileged to perform the access. And it is inherent with the methodology described that the system is closely coupled to the database itself, and it performs the work of detection locally.

Adrian Lane tag:typepad.com,2003:post-50829828 2008-06-04T14:13:59-07:00 2008-06-04T14:13:59-07:00

I also wanted to discuss a slightly more complex example to illustrate how Information Centric Security can solve other problems.

Adrian Lane tag:typepad.com,2003:post-50773180 2008-06-03T11:02:43-07:00 2008-06-03T11:02:43-07:00

It is also interesting to see how biases and beliefs manifest themselves into different implementation strategies. Forgive the crude analogy, but while we both fervently believe in Information Centric Security as a model, we worship at slightly different altars of implementation. Some of us view the solution as a virtualized application space, which I believe is manifest of a business processing security perspective. Others view the solution as a packetized encapsulation of data objects, which I believe originates from a perspective of personal data protection. The former has a distinct advantage in the area of misuse detection and data policy management, the later has a decided advantage in privacy and application dependencies. There will be other proposals, which will all have a common thread that data will have a playground in which it is used, accessed and stored. The differences are where you draw your ‘line in the sand’, or the protective boundary around the data. Personally, the more the better as it shows the flexibility of the concept, but it can make it more difficult to get your head around.

Adrian Lane tag:typepad.com,2003:post-50745566 2008-06-02T19:51:58-07:00 2008-06-02T19:51:58-07:00

Request For Procedure documents I have reviewed for database security, Assessment forms a full 60% of the overall requirements. The majority of the requirements. My sampling size is about 40 such documents, so I believe this is a large enough number to be meaningful. DAM, encryption, audit and the other items are in the remaining 40%. More still, Monitoring provides critical value on a select number of critical servers, but assessment provides value across all of databases in an organization.

Adrian Lane tag:typepad.com,2003:post-50464192 2008-05-27T09:03:53-07:00 2008-05-27T09:03:53-07:00

Lately a couple of things have happened. First, a lot of research has illuminated a couple indicators within the database security industry. Second, I have discovered some hard evidence to support a couple of quiet predictions that I have had for a while. Finally, I find myself unburdened of several responsibilities so I can talk more freely about all of the above. This has all lead me to a new series of posts on this blog that I will be making on the database security industry at large. In this post, acquisitions and market sizing.

Adrian Lane