If the marketing hype is true, the world soon will be software defined. Hardware will become the lowest common denominator with no real relationship to the systems and applications (apps) it hosts other than offering processing cycles for the needed task. So, if this is indeed the case, why is the information security industry still trying to protect that hardware?
The enterprise has long put its trust in the assets where information resides. As these assets are becoming increasingly mobile, and thus more prone to wandering beyond the hallowed walls of the protected enterprise, investments in their protection are providing ever diminishing returns. The complexities of providing controls for these roaming assets and visibility into their whereabouts have made social engineering attacks easier and more lucrative. Why hack when you can get others to do the job for you? As the enterprise continues its decades-long shift from a centralized computing model to one where information is decentralized, and where assets are mobile, this problem will increase in scale.
An application-centric trust model alleviates these risks by removing the endpoint from the trust model. Authentication happens with the app, not the device. The enterprise trusts the apps; the apps protect the information; the users authenticate to the apps. The enterprise need no longer worry about what the endpoint is, because it is now just another piece of hardware hosting apps in a software-defined world.
An application-centric trust model has three key components:
- An application container, which accesses information, and which controls information that resides on the endpoint. This is the point where authentication, encryption, and data controls are applied. Access is mapped to the device, user, and location.
- Delivery of the applications from a public-facing application proxy. This layer controls delivery through an encrypted channel along with establishing approved access to the internal infrastructure.
- An application store or an alternate verified application repository for application provisioning and verification.
Technology exists today that allows for an application-centric trust model regardless of where an application is hosted and regardless of where the endpoint is located. By focusing on the way in which applications are accessed, an enterprise alters the way in which it secures information. The analyst brief Protect Information, Not Devices envisages an enterprise trust model without the shackles of hardware-centric information security.
It’s true, we can’t secure our information with a single app, yet it is within apps that security should reside. We must rethink the process by which we secure our information. Any conversation about information security should include apps, so that we can one day say “Information Security? There’s an app for that”.
Follow me on Twitter at @moralesATX to keep informed as new research is released.
Follow us on Twitter (@NSSLabs) to keep informed as new research is released.