Are human firewalls the enterprise info. sec of the future?

Gartner is incubating a concept called People Centric Security that loosens controls and relies on end-users to assume responsibilities for protecting IT systems and data.

Las Vegas - Turning responsibility for corporate information security over to end-users seems akin to the inmates running the asylum.

But Tom Scholtz and his colleagues at Gartner are exploring the notion that the people using IT systems and corporate data are perhaps the best ones to guard them.  

He calls it People Centric Security (PCS), and, yes, the notion raises a lot of eyebrows in information security circles. Gartner is exploring the possibilities of PCS as part of its Maverick idea incubator, and Scholtz presented the work this week at the annual Gartner Identity and Access Management conference.

The thinking goes like this: empower users with responsibility for systems and data important to their work, sprinkle in consequences for breaching that responsibility and users will do the right things to secure their environment.

"The current approach in developing policies and controls doesn't scale to current realities," Schotlz said. That reality is the convergence of social, mobile, cloud and big data and the changes it brings to enterprise computing. The forces are eroding corporate boundaries and controls in many areas long thought to be state-of-the-art defenses.

"In this brave new world, what we do as security people is viewed as negative. We are the people who slow things down," he said. Scholtz, however, is not advocating losing all controls and policies only loosening them.

He says taking away controls on data and replacing them with new user-based responsibilities, principles and rights may just improve end-user focus and produce a more managed and secure environment.

The PCS goal is to implement a "trust space."

Concepts surrounding "mutual trust" are not new, they have been used in traffic planning, Europe's Schengen Agreement, open source and even cloud computing, where companies trust that large providers will protect their data as part and parcel of protecting their own valuable brands.

Such an environment "makes it easier to monitor for exceptions, the good people are not trying to circumvent the controls," says Scholtz.

Scholtz argues current information security policies and tools grind on productivity. He says the relationship between IT, the business, and workers has transformed and necessitates change in regard to information security.

"One of realties in the current approach to information security is we treat the 95% of people that want to do the right thing, we treat them like the bad people in order to protect against the bad things done by the 5% of people who have bad intentions," said Scholtz. "We treat them like children, and if you treat people like children, they will act like children."

Scholtz knows PCS is not for everyone and that implementation requires cultural and educational challenges.

"Maybe we could develop a situation where we have a set of underlying principals that underpin how people use data and how they access systems, and we link those with specific individual responsibilities," said Scholtz. "Maybe we get a more collaborative and social environment."

There are specific requirements if PCS is to prosper -- the process has to be top down and there has to be effective punishments for those that abuse their rights.

Scholtz admits his concepts are in the embryonic stage, but that they will evolve in the coming months as he works with select enterprises. He noted that a European bank and a U.S.-based agricultural business are already adopting PCS concepts.

By 2014, Gartner predicts 25% of large enterprises will have dedicated information security staff and budget to implement social, cultural and behavioral change.

"We cannot forget about the bad guys outside our enterprise; we do not get rid of all our defenses," he said.

How crazy do you think the PCS concept is? Can it work? Why might it fail?

Show Comments