I had a fun Twitter conversation this week that got a little bit heated, which is bound to happen when you mix security, identity, and mobile along with an American, a Canadian, and an Italian. Alessandro Festa, the Italian in this exchange, wrote a very interesting blog post in his series of "bring your own identity" posts. His post covered keeping information secure and how putting governance first can get in the way, and argued that classification is the easiest way out of this mess.
I disagreed with the central premise of Festa's post -- not because I don't think classification needs to be done, but because it needs to be done differently.
Classification of data is very important and should be happening at all companies. It is an important part of information lifecycle management (ILM), although ILM is rarely practiced very well at most companies. The issue with classification, and therefore ILM, is that it's really difficult to do in practice.
When most organizations decide to institute an ILM program, they spend the majority of their time coming up with the classifications of their data. To Festa's point, they start with governance. They set up various committees to look at their data and work up how to classify the data into categories. This can take anywhere from six months to two years, and by the time they finish, they may have more than a hundred buckets into which you can file your data.
Chances are the organization has already picked a tool to help it classify the data and maintain the buckets it painstakingly decided on. That's the easy part. It now has to spend time, money, and a lot of effort to train all its employees on how the categories should be applied to each piece of data. Next, it must train users on the tool. This can take as long as three years before any data actually gets put into any buckets -- a lifetime for most organizations, which have probably moved on to the next program at this point.
Remind me how this helps me to secure my data again? How does it keep me from exposing it to anyone who gains access after I store it in Dropbox or Box?
It doesn't, which is why I favor a much simpler approach: Start with two buckets of data. The first bucket is all corporate data, regardless of importance or whatever other classifications you can think up. The second bucket is all noncorporate data. It doesn't get much simpler than this.
Once you have your bucket of corporate data, figure out how to secure it. I recommend encrypting it all. If it's encrypted, it doesn't matter where a user moves it. If someone gets into a user's publicly shared folder, all that intruder will see is encrypted data, which is useless without the key. You build those keys into the apps or platforms your users work with (it helps if they are identity-based, too), so the users can access the data when and where they need to.
Paul Madsen, the grumpy Canadian in that Twitter debate, sided with Festa and further stated that if you had just two categories, you most certainly weren't doing mobile information management (MIM) but mobile application management (MAM). I countered that this two-bucket approach is still MIM -- security is centered around the data, and if policy were added to that data we would truly have MIM. Without getting into the details on MIM here, I believe this can be a very workable solution.
As Festa pointed out in his post, the beauty of starting out with two buckets is you don't need governance to get that far -- you can start right away.
But you don't stop once you've defined your two buckets. You then start to break that corporate data bucket down into smaller buckets. One might be regulated data. Another might be on-campus-only data. You can continue to add buckets, but your system is already in place and you have already secured your data. These new buckets let you refine the system and create better APIs to access that data.
The goal for all enterprises should be to free their data. You need to build APIs around your data sets. These APIs should account for all the buckets, taking into account identity and access management (IDAM) while serving as a programmatic way to get at the data. Developers and users write apps to the APIs, which is how they access the data. This preserves the security and policy around the data, which the APIs respect and help enforce.
But most companies today try to crack the whole nut at once. There's an old parable: "How do you eat an elephant? One bite at a time." If companies spend too long trying to get everything perfect, it will be too late. Their employees will find a way around them, so they can use the data they need, when and where they need it, to get their job done.
The only way to enable your employees responsibly and move forward is to take one step at a time. You can always decide in the moment whether you want to walk or run. For securing your data, take that first step before all your employees walk off on their own.