Information security used to be simple. We locked doors, bolted windows, and that was sufficient. We took our cues for IT security architecture design from the same places, castles, walls, defence in depth, onion models, and network security based models positioned against external attack. These risks are not entirely the whole story says Ralph O’Brien MBCS.

In today’s technological world, this way of thinking is positively medieval. Gunpowder and cannons rendered the huge stone wall defences obsolete and irrelevant. Today, technology is again making our network defences obsolete.


Users now share data more than ever and wish to work on it anywhere, on any device, at any time. Everyone creates and stores content, often times placing multiple copies in disparate locations. Subsequently, this reality has led to the rise of records and document management systems, wikis and project portals, which has led to hundreds of data repositories proliferating enterprises worldwide.

Mobile devices and cloud

Users want it all, and want it now. Consumerisation of technology means IT is no longer a black art. Users now expect a certain experience as consumers and want that replicated when they’re on the clock as well. What does this mean? Simple, GUIs accessible 24/7 in the palms of their hands.

The rise of cloud storage and reliance on third-party providers to support these trends has led to the data we once held inside our trusted perimeters being offshored and hosted by others, vastly reducing our capability to know where the data physically resides, how many copies there are in use, and where it’s being accessed.

Big data

Research finds that today humans create more data in six months than the entire human race did before 2000. Storage is cheap and the amount of data we need to manage is growing exponentially. IT departments and business users alike have neither the time nor inclination to clean or understand their own information. They just want what they need to do their jobs.

With data bloat now a real problem, it has never been harder to pinpoint who did what where, and to understand exactly where the key data you want to protect, or simply dispose of, is located.


IT departments used to hold all the keys, literally. Business users didn’t really understand IT, and were content to allow the IT department to control everything. Today, this couldn’t be further from the truth. Virtually everyone is becoming more IT literate, and there is an array of tools and technology available to accommodate this shift.

With this gain comes challenges with self-provisioning services; users are creating portals and project sites, granting access, and adding data, leaving IT departments struggling to keep up and maintain control.

Threat vectors

Data is coming from more sources, quicker than ever before. We encourage customer interaction through social media platforms, customer-and partner-facing portals and allow users to create sites and control access both internally and externally.

Open access is no longer a privilege, it is fundamental. As such, the notion of a security perimeter is effectively dead. Most press comes from the threat of external hackers, but the growing threat is coming from inside our own office walls and often not even malicious in intent. After all, who among us hasn’t sent an email to the wrong recipient?

Comparison against tradition

If we use a traditional security model based on perimeters and walls, with layered network defences focused on external attack, it misses protection from those who already have legitimate access to information and may mistakenly use it inappropriately.

The traditional security model where IT departments worry about network assets is rarely going to work for a business today. Vendors sell hardware and software to attach to your network for protection, often producing a very flat level of security across the enterprise that assumes all data is created equally. Of course we now understand that some data is more important than others.

Unfortunately, the flat, static security model to which most are accustomed ignores the value of the data, which is the most important component in our security risk factoring. A single, static network security baseline causes most data to have too much security applied, preventing business users from accessing it and introducing unnecessary bureaucracy.

Security can come at the expense of user adoption, and these users will resort to third-party and unsupported systems simply to get the job done - such as USB sticks, personal accounts, or other freely available and unauthorised ways of transferring information.

The opposite is also true, with the flat security model leading to data that is far more valuable than the level of security provided - exposing the business to risk and damage. There must be a way to dynamically understand the value of data and apply the appropriate amount of security necessary.

The power of metadata

We must look to the data, not the network, for the answers. So far, we’ve largely ignored the possibility of scanning the data itself for the answers, because it can be resource intensive (we’re all scared of big data, remember?). Technology, though, is catching up. Metadata is immensely powerful, and where I see the solution to our future security models.

There are two major stages that, I believe, can help you begin to unearth the metadata you need to create a relevant, scalable information security model today. Use an automated solution to tag your data, invest time in understanding what makes your data special and deserving of security and look for key phrases, sequences and words that will trigger the need for special handling measures.

These can be things such as personal data, credit card numbers, product numbers and so on. Add these metadata tags to the data and documents themselves and let them carry this metadata with them. There are already properties fields marking authors and time stamps, but you should add corporate taxonomies of protective markings and indications of the data type. This can be done on upload or data creation and be enforced automatically with manual review to aid in the elimination of false positives.

Having done this let our other systems, software and hardware read and use these metadata tags to manage our data appropriately. This should not merely be for information security, but rather the whole of information management and governance.

Let the metadata decide the levels of security applied, access control, retention periods, archiving, allowed locations, usage, resource allocation and routing. Naturally, make sure these metadata tags can be used for reporting and assurance to management. You should also factor in legal, regulatory and contractual requirements based on the data type.

In short, give the data what it needs depending on what it is. The best part is the technology to do this exists today. It’s time for enterprises to stop fearing the unknown outside the office walls and focus on the data you already possess. Learn and understand what you have and use it to your advantage, not just for security, but also for enterprise information management to help best fit your specific needs.