The Enterprise Information Protection Paradigm

It used to be that network infrastructure was one of an organization’s most valuable assets and security was geared toward protecting the infrastructure; but costs are falling, and the network has become a commodity.

Meanwhile, the volume and value of information stored electronically are growing rapidly. For this reason, Dan Greer advocates a paradigm shift in information security, which he calls the Enterprise Information Protection Paradigm.

We suggest that this paradigm be called enterprise information protection (EIP). We say enterprise,” in that, for most firms, data is literally who they are; information,” …because this data has future value; and protection” because protecting value is the first responsibility of boards and officers.

In practical terms, EIP means focusing our security efforts at the point of use—every point of use—“where data-at-rest becomes data-in-motion.” It means insisting on secure operating systems, applications, and procedures. And it means monitoring the use of information:

[EIP] is, to the firm, what a conscience is to an individual—that second brain that watches the first with the power to detect bad choices and to act on what it sees. We do not expect perfection in applying EIP any more than we expect perfection of the conscience, but … the goal is worth it.

Focusing security resources at the point of use is not a new concept—Bruce Schneier has advocated that as a technical security tactic for years. And it’s certainly not new to say information is an organization’s most valuable asset and that responsibility for information security goes all the way up to senior management. What I find compelling about this article is that it does a decent job of packaging these concepts together into a single, coherent paradigm.

Dan’s article is a bit long, and you have to slog through clichés like applying the theory of Evolution to information security (do they have Editors anymore?), but it’s worth a look.

Up next Fun With Flowers When Low Tech Is the Best Tech
Latest posts Meta Work Some Thoughts on Report Usability Yachats Sunset BIML Banana ooo na na Super Love Scroll Lock Why We Encrypt UK government quietly rewrites hacking laws to give GCHQ immunity I’m Terrified Right Now You Do Not Need Permission The Reward For Good Work How a Microwave Should Work One in a Million is Next Tuesday What I Want From Tech Support Windows Batch Gotcha: Use REM Inside IF Blocks Great Advice From Larry Wall A Haiku Time Limits on Browser Plugins? Better Questions Lessons in Bug Hunting /time Shipped! Recipe: Tuna Salad Gun Control and Strong Encryption Day-of-Week Differences in MySQL and MS SQL Server Washingsoft UAnix Microsoft Orifice The Right Question Converting to Project Connection Across Multiple Packages in SSIS 2012 Generating a Range of Dates in MySQL