recommended reading

The Future of Data Security

Pavel Ignatov/Shutterstock.com

Imagine a library. Every night, the library locks its doors. But one night, a burglar manages to get in. All the books and manuscripts are gone, right? Not in this library. You see, in this library, most of the books themselves are locked down, and the ones the robber does manage to carry with him turn out to be outdated travel guides and self-help books from 1974.

Admittedly, this would be a strange way of running a library. But for businesses looking to protect their vital data assets, something like it could become the future. The concept is called “data-object security,” and it relies on a principle most people are reluctant to admit: All systems are inherently insecure.

The idea is actually as liberating as it is worrisome. Today, systems such as e-mail are generally protected by a single password that, if broken, allows an intruder to run as far as he wants inside your in-box. Networks and servers are similarly vulnerable; they’re little more than a lockbox for your data. But if you assume that the lock will eventually get broken, that frees your attention to focus on what happens next.

This is where data object security comes in. It’s a setup that doesn’t just protect data at a system level; it also protects the individual bits and bytes of data inside the system. What if every file, or even every cell in a spreadsheet, came along with a set of rules governing what different people would see when they opened it up? The rules might say, Bob from accounting can see one part of this file -- just the part he needs to do his work effectively -- while John, an outside federal regulator, might be able to see a little more, and Steve, at the executive level can open up that same file and see everything Bob and John saw, and more.

Here’s another way to look at it. If data security means defending the library that holds your information, data-object security is about defending what goes into the library itself. The two ideas are radically different, and according to Josh Sullivan, a vice president for data analytics at Booz Allen Hamilton, as more businesses come around to the latter, a common ideal promoting good data stewardship will emerge.

“It's a whole new way of thinking,” Sullivan told me. Take it far enough, and you wind up in a future where access to data is democratized. Right now, businesses jealously guard their information because once a file has been opened, all of its contents are visible to the reader and to whomever he or she sends it to. By contrast, data becomes more useful to more people when access is limited to only what they need.

With data-object security, firms and agencies will be able to track their information with more accuracy, too. For every piece of their data that gets called up by, say, an academic, businesses (not to mention all the academic's peers) will know where that data had previously been and where it is allowed to go next. In dataspeak, Sullivan told me, to understand the trajectory of a piece of data is to trace its lineage.

Rules about data can also be set up according to pedigree -- a measure of who is accessing the information (think tanks? high-school clubs? hobbyists?) and how useful they’ll find it (can you make accurate financial predictions with it, or is it only good enough to get a general idea of the market?). Remember that what makes this concept so powerful is that all of these attributes can be applied to the same file.

Data democratization requires businesses and governments to be a little more comfortable sharing -- and that raises privacy concerns. No commercial standard currently exists for ensuring data privacy, and in its absence, many are turning to a totally different field for answers: medicine.

“In HIPAA, we’ve got a process,” said Jules Polonetsky, a former chief privacy officer at AOL, referring to the federal law that determines who can view and share patients' medical records. “It’s been laid out, and it may or may not be perfect, but it says you must follow these rules and de-identify health data.”

Taking the same principles that govern anonymized medical information and applying them to commercial or administrative data may not need a law, Polonetsky told me. It might be that some common understanding could evolve among companies themselves. But using HIPAA as a model at least provides a baseline for comparison so that businesses know just how rigorous their data policies are.

Privacy advocates and proponents of data are often at odds with one another. One side generally views the explosive growth of data as a creepy development ripe for abuse, and the other often looks at data in almost utopian terms. Yet it’s possible that the new advances in security may create an opportunity to bring the two closer together.

“Data-object security gives you finer-grain security, but it also encapsulates the rules of, ‘How can I share this data, and with whom, and how long do I keep it?’ and you start to embed the stewardship of the data as descriptors on the data itself,” Sullivan said. “That’s the key to enabling data democratization -- where the right person can get the right data when they need it.”

(Image via Pavel Ignatov/Shutterstock.com)

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    Download
  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    Download
  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    Download
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    Download

When you download a report, your information may be shared with the underwriters of that document.