Continuing with the review of Enterprise Security: A Data Centric Approach to Securing the Enterprise by Aaron Woody having given a bit of history and motivation for an alternate approach Chapter 2 of the book starts describing the data centric approach.
We start out looking at why network boundaries need to revisited – as a result of BYOD, closer integration with business partners, collapsed/simplified software stacks etc. Then go into defining in more details the data centric views and how t go about building a trust model for identifying what needs to be secured. A trust model looks at the different dimensions that can impact data:
- Data (what actually are we protecting – is the data your commercial crown jewels such as a customer list, classifying the data to understand its characteristics, where is it located and so on)
- Processes – what can be done to data
- Applications – systems interacting with data
- Users – differentiated from roles – their relationship to the data employees, contractors, third parties etc
- Roles – the roles people have to perform, system admins, data stewards etc
- Risk – as you can never guarantee everything, what are the consequences of a breach
- Policy & Standards – legal requirements e.g. HIPAA, PCI DSS, DPA plus internal corporate policies
With the guidance to help gather the information you can start to build a profile of your data and the need (or not) for security with challenges and risks that need be addressed to achieve this within an organisation. All of which has to take into account of ‘data at rest’ (i.e. in databases, flat files etc) and ‘in motion’ transfers such as email, HTTP, FTP, SQLNet and so on.
The book then begins to talk about architectures that can reflect the considerations and needs of your data.
In terms of the writing, chapter is pretty direct and to the point which is great as long as you have some basic appreciation of security needs. It would have been good to enrich the information with some examples (although the Appendix does illustrate a bit further). The ideal would have been to have a use case running through the book (perhaps at the end of each chapter applying some of the ideas to a fictitious scenario).
- Web site for the book : http://www.datacentricsec.com/
- Packt site for the book http://bit.ly/126S7Ys
- Aaron’s Twitter tag @shai_saint