The enterprise security perimeter is quickly dissolving. Everything from company financials and source-code e-mails to unstructured documents and other forms of knowledge are circling outside the enterprise firewall on non-IT-controlled devices.
Not surprisingly, nearly half (47%) of European and North American enterprises have stated that imposing security requirements on third parties is a high or critical priority.
Conversations with enterprises in the manufacturing, media, and seasonal services markets uncovered some unconventional wisdom: control does not require ownership.
Moreover, successfully controlling the spread of sensitive information requires inverting conventional wisdom entirely, by planning as if the enterprises owned no devices at all.
Forrester calls this concept the "zero-trust model of information security", centered on the idea that security must become ubiquitous throughout your infrastructure. Simply put: treat all endpoints as hostile.
Forrester has developed a new network architecture that builds security into the DNA of your network, using a mixture of five data-security design patterns - thin client, thin device, protected process, protected data, and eye-in-the-sky.
None of these patterns assumes that the enterprise owns the endpoint devices. By blowing up the age-old conflation of ownership and control, enterprises will be able to build data protection programs that encompass all possible ownership scenarios, including Tech Populism, offshoring, and outsourcing.
Thin client: process centrally, present locally
Thin client is the old war-horse of the zero trust strategy, encompassing a variety of technologies including OS streaming, hosted desktop virtualisation, and workplace virtualisation.
Implemented in a security context, sensitive data stays centralised in hardened bunkers, with remote devices allowed views of it via thin-client terminal applications. Because network access is required, thin client doesn't support offline use.
The advantage of thin client is that data never leaves the server - it is only rendered on the endpoint. For additional security, IT can restrict host copy-and-paste operations, limit data transfers, and require strong or two-factor authentication using SecurID or other tokens.
Thin device: replicated data, with device-kill for insurance
The thin device pattern constrains access by limiting the type of device used to access the data. Point-purpose devices like smartphones, for example, can keep only limited amounts of sensitive information on them. The information they keep is replicated, with master copies stored in datacenters. Because of their size, storage capacity, and comparatively modest processing power, applications are limited to e-mail, light web-surfing, and simple web applications, rather than general data processing.
With the thin device pattern, firms can still control the security of devices, even when they don't own them. Using native management tools or third-party mobile device platforms like Sybase, smartphone security policies that can typically be imposed include backup and enforced encryption.
For insurance, thin devices can be remotely wiped - making them truly "disposable," unlike PCs. However, IT security may find it technically or politically infeasible to impose IT security policies on non-company-owned devices.
Protected process: local information processing in a secure "bubble"
Unlike the thin client pattern, which keeps sensitive data off of client devices entirely, the protected process pattern allows data to be processed locally on non-IT-owned machines. Sensitive information sits inside a compartmentalised processing environment that is separated from the user's local operating system environment - essentially a "bubble" - whose security and backup properties are controlled by IT.
The protected process pattern has many advantages: local execution, offline operation, central management, and a high degree of granular security control, including remote wipe.
But keep in mind that most operating system and application virtualisation solutions are Intel-only or Windows-only.
Protected data: documents protect themselves regardless of location
Whereas all of the previous patterns seek to control the operating environments that process information, the protected data pattern protects the data itself. Technologies like enterprise rights management enshrine access rules into documents directly. These rules, which rely on cryptography to enforce, apply no matter where the document rests - a key advantage. Of all the patterns in the Zero Trust data security strategy, protected data is the most fine-grained and effective because it focuses on the information, not its containers.
One of the disadvantages to this pattern is that enterprise rights management requires client-side agents on every participating endpoint. The technology can also be challenging to deploy. Organisations tell Forrester that enterprise rights management business unit users sometimes create policies that are "too tight", and that policies do not adapt well to organisational changes.
Eye-in-the-sky: know when important information leaves
The fifth zero trust data security design pattern is a supplementary data control technique for detecting, logging, and optionally blocking sensitive data that leaves the physical or logical enterprise perimeter. Data leak prevention (DLP) technology, and to a lesser extent, security information and event management (SIM) tools, forms the backbone of this pattern.
The primary advantage of the eye-in-the-sky pattern is that it can detect sensitive data as it moves outside the logical security boundaries, making it ideal for understanding the velocity and direction of information flow and for detecting anomalous transmissions. Unfortunately, most enterprises won't be able to require their business partners to install DLP agents on their computers. For this reason, enterprises should regard the eye-in-the-sky pattern as one that supplements other protection capabilities for outside PCs.
Andrew Jaquith is a senior analyst at Forrester Research, where he serves security and risk professionals. Andrew blogs at: http://blogs.forrester.com/andrew_jaquith.
Previous Forrester Articles:
This was first published in September 2010