The term “trust” is too binary for the world of business and IT we are moving into.
Trust sounds black and white / all or nothing. Either I trust you or I don’t.
The reality is far more complex and a world of information security decisions based on shades of grey, not black and white. In the past we owned and controlled most of the IT infrastructure that supported our organization. We used this ownership and control as a proxy for “trust” – because I owned it, I trusted it. The same was true for user identities as well.
No longer. Consumerization and the shift to Cloud-based computing changes everything.
Trustability (or confidence, or assurance – pick your favorite term) is the new mindset for information security.
Instead of perceived absolute trust (which we never really had), we will shift to a paradigm that embraces variable levels of trustability — adaptive and context-aware security policy enforcement mechanisms that help us answer the real question:
“Do I have enough trust in the entities involved to take the requested action at my current level of risk tolerance and given the current context to allow the action to take place?”
That’s a direct quote out of my research note for clients titled The Future of Information Security is Context-Aware and Adaptive.
Context is key to making better information security decisions where we increasingly don’t own and don’t control the devices, networks, OSs, and applications that our organization runs on.
I’ll be presenting on this topic as well as another session on virtualization and security at Gartner’s upcoming Security and Risk Management Summit at the end of June in Washington DC.
Adaptive, Context-Aware Security Infrastructure and Intelligence
20 June, 2011 (02:30 PM – 03:30 PM)
Consumerization, virtualization, and cloud computing challenge traditional static security models. The future of information security – infrastructure and intelligence — must become contextual and adaptive to changes in business requirements and the changing threat landscape. Richer, real-time context-aware information such as reputation, identity, application and content-awareness at the point of a security decision will provide more accurate and timely security decisions. Information gathered by context-aware security platforms will provide security intelligence — delivering actionable, risk-based insight and situational awareness.
I hope to see you there!