Security Watch | Matt Hines » Exploring the data security quandary

March 04, 2008 | Comments: (0)

Exploring the data security quandary

TAGS: Security

Anyone who spends any amount of time around the IT security industry is bound to come across Dan Geer, either in person or by reputation.

He's one of those guys that you soon begin to recognize, always dressed casually and sporting his trademark sideburns, and full of some of the best and most well-informed questions you'll ever hear anyone ask on the trade show circuit. He's someone who doesn't hesitate to ask those frequently tough questions of his peers in front of a live audience -- a techy's techy, if you would.

Geer may be best known for his infamous departure from the well-known company he founded and helped build, @stake, after writing a report that critiqued the state of IT security in relation to the notion of a "monoculture" around the Windows OS in 2003 -- a report that turned out to be accurate in many of its predictions, it is worth noting in retrospect.

But now he's firmly entrenched in the DLP business, serving as VP and chief scientist at Verdasys, one of the more highly-regarded vendors in the space, and one of the few big names left independent after 2007's industry consolidation, as big players including Symantec, RSA and Trend Micro snapped up its closest rivals.

To that end, Geer's latest effort is a new book titled "The Economics & Strategies of Data Security," which explores the increasingly challenging prospect of trying to keep corporate data under control, or at the very least out of the wrong hands. As usual, it seems that for every question he attempts to answer in the book (and admittedly I've only read pieces of it), he is also ready to cast doubt over simple answers and pose subsequent queries over the very nature of the topic at hand.

The thing is, Geer might work for a DLP vendor, but it's clear in his book and in 1-to-1 interviews that he subscribes to the idea that the concept of data security itself remains a very fluid and unsolved issue.

As other smart industry watchers point out, he highlights that information has become the most valuable tool of business, an that efforts aimed at limiting access to it, or trying to set hard boundaries around its distribution, can be in many cases more counter-productive than helpful.

And while companies like Verdasys have created complex technologies that work impressively in terms of creating some controls for preventing inappropriate data use, it remains clear that that he buys into the truth that no one will ever be able to manage the flow of electronic information altogether.

"It's like the common cold, you think by now if this was a solvable problem that we would have it taken care of, but it's still fresh everyday," he said in a recent interview. "What's true yesterday isn't true today and it's hard to tell those people trying to hurt you from those who aren't."

"In business we can't expect people to limit access, maybe to something like the formula for Coke, or maybe in areas of finance such as pre-IPO where there are built-in incentives not to distribute certain information," said Geer. "But the inherent nature of data is such that we will always want to share it with others."

DLP will only work as well as its designers engineer controls for people to protect sensitive data as long as it doesn't get in the way of legitimate business, and it must have the power for users to pre-empt its controls when necessary, he said.

"Any rules you create must be designed so that they can be modified quickly," Geer said. "In a world where attacks propagate quickly our ability to react is best modeled on the human immune system, with new countermeasures on demand, but in a way that doesn't get in the way of allowing other related systems to work."

Now, that doesn't mean that Geer doesn't think that DLP works, he just seems to be realistic in the sense that he contends that in order for information to be protected, we must be willing to give up some level of freedom in terms of its distribution.

In his book, Geer explores all sorts of technologies and scenarios for how data can be exposed and how it may be defended, and far from saying that the data security issue is hopeless, he maintains that we as a society must be willing to allow as much information as possible flow freely, while targeting specific types of data that need to be put under very tight, and sometimes limiting, controls.

In offering a summation that he concedes is neither "pleasant nor fashionable" in many ways, Geer again appears to be banking on his pragmatist sensibilities as both an academic and a practitioner.

"We are kidding ourselves if we think that the attractive benefits of the digital lifestyle, whether for persons or companies, don't come with a price in the form of data control," he writes in the final pages. "As bits replace atoms as the chief constituent of modern life, what those bits represent, data, becomes what we have, what we have to control, and how it is that we achieve that control."

Like any good scientist, the expert continues to pose as many questions as he attempts to answer. Geer will be speaking on data security next week here in town at the Source Boston 2008 conference.

See you there.

Posted by Matt Hines on March 4, 2008 12:29 PM

RATE THIS ARTICLE: