It used to be that network infrastructure was one of an organization’s most valuable assets and security was geared toward protecting the infrastructure; but costs are falling, and the network has become a commodity.
Meanwhile, the volume and value of information stored electronically are growing rapidly. For this reason, Dan Greer advocates a paradigm shift in information security, which he calls the Enterprise Information Protection Paradigm.
We suggest that this paradigm be called enterprise information protection (EIP). We say “enterprise,” in that, for most firms, data is literally who they are; “information,” …because this data has future value; and “protection” because protecting value is the first responsibility of boards and officers.
In practical terms, EIP means focusing our security efforts at the point of use—every point of use—“where data-at-rest becomes data-in-motion.” It means insisting on secure operating systems, applications, and procedures. And it means monitoring the use of information:
[EIP] is, to the firm, what a conscience is to an individual—that second brain that watches the first with the power to detect bad choices and to act on what it sees. We do not expect perfection in applying EIP any more than we expect perfection of the conscience, but … the goal is worth it.
Focusing security resources at the point of use is not a new concept—Bruce Schneier has advocated that as a technical security tactic for years. And it’s certainly not new to say information is an organization’s most valuable asset and that responsibility for information security goes all the way up to senior management. What I find compelling about this article is that it does a decent job of packaging these concepts together into a single, coherent paradigm.
Dan’s article is a bit long, and you have to slog through clichés like applying the theory of Evolution to information security (do they have Editors anymore?), but it’s worth a look.