IT security? You're doing it wrong!

Sometimes change is abrupt, sometimes it just sneaks up on you.

For quite some time I've been thinking about the impact of many different trends on the world of IT, as virtualisation and cloud combine with new devices and service-oriented application development to change the way we build and deliver applications. It's one of those megatrends that we can see pushing its way through the industry, leaving trails of service clouds in its wake. But while it's big and very very visible, it's not the biggest change facing IT departments across the world. That change is already here, and it’s one that's sneaked up on us, arriving from left field with little or no fanfare.

It all stems from that cloud trend, and from the other big elephant in the room – IT consumerisation. How do we manage devices we don't control, and in fact that we can’t control, in a world where information flows from device to device, from server to server, and between data centres and the cloud? It’s a complex world that is getting more and more complex every day, one where organisations are managing not just their hundreds and thousands of servers and desktops, but adding in tens of thousands of devices offering mobile computing and storage.

It’s a nightmare for traditional IT. Managing servers, desktops and applications just doesn't scale – and users don't take to IT departments applying the management techniques they've always used to their personal devices. Everything we know about it IT management has turned out to be wrong.

So how are things changing?

The answer turns out to be quite simple. Instead of managing applications and devices, with a metaphor-based on mediaeval fortifications, we start thinking about managing users and information.

That's a significant change, but one that makes a lot of sense when we look at the architectural changes that IT departments are already having to implement. Some of it is already starting to be put in place especially around information-centric security, which is an essential requirement for compliance with many aspects of the modern regulatory environment. If you're having to handle financial data or health data you're already starting to put in place information security that uses access controls to determine who can see what – and where they can use the data.

Tooling built into the current generation of operating systems and storage platforms makes it easy to start implementing information-centric security, while existing directory services mean you're not that far from implementing effective user-centric management. It's all just a matter of going that little bit further. Instead of using directory services to log users on, and to provision basic access rights on desktops, use them as the basis for rich access control lists on your servers, and in your applications. The rules don't need to be complex – just pragmatic.

By "pragmatic" I mean extensive use of rule-based whitelists. And by that I mean very simple access rules for files that indicate who has the rights to view, or to edit, or to copy. Rules are constructed to give explicit rights – there's no open access with blacklists for specific groups that leave holes big enough to drive a bus through. Instead it's all simple constructs of the form "USER 1 gets access to FILE 1 if member of GROUP A or of ROLE B" or at a higher level, "GROUP A can see DIRECTORY 2". It's the type of construct that makes it important to have appropriate tools for defining user groups and roles, and for both provisioning and deprovisioning users. But when done right it means less work for IT departments – as the user role assignment process can be automated as part of standard HR operations, with file rules coming from where they're stored, or what they contain. Rules can even be specifically assigned on a case-by-case basis, granting access to specific users for a specific file for a specific reason (and for a specific period of time).

The tooling is starting to arrive. BYOD deployments based on BlackBerry can use BlackBerry Balance to manage some of this, and Windows admins can take advantage of the tooling built into System Center 2012 to start the move to both information- and user-centric ways of working.

One aspect of the shift to both information- and user-centric management could appear somewhat ironic. As DRM disappears from entertainment content, it’s starting to appear in work data. If you're using Microsoft's Information Rights Management platform to control user access to data, you're using a DRM system. It’s a technology that gets more important when Windows Server 2012 arrives, as its Dynamic Access Control technology uses IRM to control access to automatically classified information – with user information in Active Directory managing the roles and groups of users used to control just who has access to that information.

With information protected at rest with strong cryptosystems, you don’t need to rely on firewalls and security appliances. User accounts contain the tools needed to decrypt information, and contextual models control how and when that information can be accessed. If you don't have rights, you can't decrypt and use the data. If you're accessing the network from a device that doesn't support user log-ons, you can't even see that there is data…

Simon Bisson