Ok, not really, but it's kind of a catchy headline, right? For anyone that caught the RSA Conference (either live or in archive), then you probably picked up on the theme that I've been riding for a few months now: this industry is stagnated and dying. In their keynote, IBM even went so far as to say that the industry has no future. While I think that this is a gross mischaracterization of the situation, it is an interesting stance for a product company to take. RSA Pres Art C said similar things during his keynote, too, but then proceeded to talk about how RSA products would be the solution to the problem (what was the problem again?). Anyway... this week has seen a full surge in this death knell for the industry, though now in the form of dismantling it, piece by piece.
Going from back to front, I want to start with Rich Mogull's post declaring that "Data Classification Is Dead." As you read through this brief post, a couple things should jump out at you. First, he still keeps the core of classification, in the guise of needing to still "prioritize and identify information." Somehow he doesn't see this as classification, mainly because he has an issue with how labeling is (or is not) currently done.
Now, I can honestly say that I find classification one of those necessary evils. It's just really annoying. You need to know the importance of data, prioritizing it accordingly, but at the same time, it's a really sucky job. As for labeling, well, I have to agree with Rich in that it's never been particularly useful or feasible.
Where he really wants to see things go is toward self-describing data. In reality, data is (to humans) self-describing. If you see a credit card number, you think "that's sensitive data that should be treated carefully" whereas if you look at all the addresses and phone numbers in the phone book, you naturally think "this is public information requiring very little protection." How do we get to that point? Well, the theme of the RSA Conference was "Turing Lives" - so perhaps we just need smarter computers. DLP seems to be part of this solution, too, but I digress.
Bottom line: data still needs to be identified and classified (it's that "priority" step that Mogull mentioned). Without doing this, we have to assume that all data is critical, and that's just not particularly useful. Or, it could be useful, but it would be very expensive.
Moving right along... the other piecemeal desecration of the industry came at the hands of Thomas Ptacek's post "Defense in Depth, Reconsidered: Is Information Security Anything Like War?" He makes some very interesting points as he tries to eliminate the concept of "defense in depth." I think he's half right to do so. Defense in depth is a very difficult concept to understand and implement today, and so it's very easy to dismiss. If you consider that defense in depth used to be conceptualized as firewall + IDS + OS hardening, then you quickly realize that it should (mostly) go the way of the dinosaurs.
There is, however, still hope for defense in depth. What we really should be talking about when we define this principle is applying a suite, or portfolio, of security solutions to ever security problem. It means combining access controls with system security best practices and secure coding practices and good logging and monitoring capabilities, all backed by effective testing/evaluation and incident response capabilities. This isn't your traditional defense in depth, and it's a lot more expensive and complicated. It also, however, represents the direction that the industry needs to go.
In fact, allow me to be so bold as to assert that our current stagnation is based on the fallacies of compliance and governance that ignore a broad-based, holistic approach to security. We're so focused on plugging holes, that we're failing to address the security of the entire system (in this case, system meaning the enterprise as a whole). Instead of focusing on securing individual resources (apps, hosts, etc.) we need to be moving up to a much higher level of abstraction, with an eye toward finding ways to to reduce and mitigate threats and vulnerabilities on the whole. Drilling down to specifics should only occur as directed by our comprehensive risk management approach.
So, in the end, I disagree with both of these learned bloggers in their assertions. Data still needs to be classified, even if labeling doesn't work right. Some day I hope that we'll reach the point of self-describing data, but until then, maybe we just need a microformat that includes a standardized data description ("classification"). I also disagree with the assertion that defense in depth is dead. It's definitely different, and requires a different scope and perspective, but it is anything but dead. We cannot afford to rely on any single defensive measure these days.