Wednesday, January 16, 2008

Novell does data security

Sort of.

Novell announced yesterday, the availability of ZENworks Endpoint Security Management with expanded encryption functionality. All this means is that they can now do encryption of folders and devices (USB storage devices, DVDs). It doesn't get very granular and it's not data centric.

From looking around at their product info, it looks to be just a bunch of "on/off" switches. e.g. you can use this USB device, but not this one. Or if you put something on this USB device or in this location, it must be encrypted. That doesn't give a lot of context...and we know that with security, context is everything (almost). And getting the policies right and linked to context is an art form in itself. This is darned near impossible without granularity.

What happens with I just want to put an innocuous picture on my USB device? If it's disabled by Novell, I can't do it. Or if I can, it's probably encrypted...which means it's not very useful to me if I take it off-site. I know, there's probably some sort of password protection capability which lets me unlock the file and decrypt it. But that's exactly my point. If the data is not sensitive, I don't want to have to go through the hassle.

Their solution is not granular enough to be useful. It'll get killed in the device control market because they'll lose the feature/function battle. It also won't register in the data security market until they get a heck of a lot more granular and let people write policies that can be data centric. Oh, and don't get me started on other potential leakage points. What are you actually trying to do by encrypting data? You're trying to secure it in case it ever gets out right? What happens if I email it? Game over as far as Novell is concerned...incidentally, it's also game over if you just focus your data security initiatives on device control. You're "sticking a finger in the dam" and hoping it doesn't leak somewhere else.

Novell do have one thing right though. They know that they need to help organisations control the endpoint. They will also no doubt tie this all back into their Identity and Access solutions (if not yet, then soon). I'm sure their professional services people are developing such an offering as we speak. A data security solution that is tied into identity is very appealing and ticks so many boxes (especially those regulatory and compliance ones) it's an easy sell. Implementing something that will work as specified is a heck of a lot more difficult though. First you have to get an adequate set of products together, and Novell can't provide that all by themselves.

There's a missing link in this space at the moment. Mainly because no one's worked out this whole data security thing yet. There's not even a commonly used term (we can't figure out if it's data security, data leakage prevention, information leakage protection/prevention or something else). The term is not important. What we're REALLY talking about is information security. Analysts and marketing people just want to be able to break this stuff up so they can sell more things (products, services, whitepapers, consulting etc.). What we eventually want to get to is an identity driven data security infrastructure that knows what people are doing and can control the movement of all information in a corporate environment, whether structured (e.g. databases and applications) or unstructured (file systems, other storage media) and is all tied into context sensitive security policies. When you simplify it, access controls are really just about limiting or allowing access to information/data based on what you are allowed to do to it. The ability to audit and report on everything is just to keep auditors happy and for the odd incident here and there where forensic analysis may be required. That's it. It's not a complicated concept.

No, there isn't an integrated solution that does this yet. For now, you have to buy the pieces and try to plug them all together. Novell's made little baby steps, but it'll only look good on the marketing slides...for now.

No comments: