Information Security Management : A Wake Up Call !

A great article by Thomas Kendra (Symantec) posted in the Financial Times, Digital Business, Personal View (Dec. 5, 2007) urging for the need to adopt a “fresh approach” to information security management given the new challenges posed by our modern organizational structures. These now involve increasing interorganizational processes, insider threats and ubiquitous computing infrastructures. Obviously, this is “music to my ears” given my research interests in Enterprise DRM and Digital Policy Management (DPM).
Basically the whole point addresses the issue of how to go beyond current security approaches which are now insufficient and consequently fail given these new challenges. Or in other words, how do we address the current weakest link of information security basically boiling down to People and Mobility. And as we all know, security is only as good as its weakest link.

So, despite the “YouNameIt++ frenzy” (trend consisting of giving and incrementing version numbers to reflect the next generation of challenges in a topic, e.g., Web 2.0, Web 3, Identity 2.0, etc.) he calls for “Security 2.0” saying it builds on traditional security (Security 1.0) adding protection at the level of the information itself and the interactions.

Interestingly, Enterprise DRM is currently one of the possible technologies used in the corporate environment to address some of these issues trying to persistently protect and manage content no matter where it resides (i.e., including outside traditional corporate perimeters). As a result, this brings the granularity of the protection down to the individual information level by cryptographically associating governing rules to the content. Moreover, given the criticality of the managed content it is also possible to dynamically adapt those rules in real time thus allowing to basically “recall” content if needed.

Our environment cannot rely anymore only on perimeter based security, Access Control, and secure communication channels. We’ve passed the point of no return and need to address information security in a way that accommodates current and future business practices.

Two problems arise here : First Interoperability and the lack of standards in the field of Enterprise DRM. We cannot rely on vendor specific proprietary solutions. Second, most deployed solutions today address specific needs in siloed approaches (e.g., SOX, Based II, HIPPA, IP protection, etc.). As a result, the field needs to take a step back and rethink the whole problem at a higher abstraction level in terms of Policies and how they are managed. Some of which may be electronically instrumented through technical means (e.g., Enterprise DRM). This is Digital Policy Management, an emerging and very important research area I’m working on. I have setup a page for this in order to generate and stimulate discussion on these issues here: The Digital Policy Management (DPM) Page. Everyone is welcome to join the conversation (practitioners and researchers) on all aspects of the problem (engineering, management, legal, social, ethical, behavioral, etc.)

Source :, Dec. 5, 2007, New Threats call for a fresh approach, Personal View by Tom Kendra,