Data Security - a never ending saga, and one more uh-oh for the senseless.

Data security vendors seem to have a tough row to hoe. There's never seems to me to be a single, comprehensive, wildly successful data security vendor, and the only one that comes close might be Decru, who I'd call less than glamorously successful today. They've fallen into the ranks of NetApp, lost some of their visibility, and their long term outlook and opportunities seem to be decreasing. The biggest problem I see? Ultimately, anybody doing data security can be incredibly threatened by existing storage and network vendors, at a time of their choosing. I don't believe drive-level encryption is ever going to take the cake for enterprise data security, but array-based encryption probably will.  Take a look at PMC-Sierra's StorClad processor. Their Tachyon ASIC has pretty good chances of being just about everywhere, and StorClad is encryption integrated with Tachyon and will stand a similar chance of being everywhere (it's a fully compatible replacement for existing Tachyon-based controllers - no redesign required). StorClad will make it really easy for vendors to integrate encryption directly into their array controllers, to the detriment of external encryption appliance vendors. 

But that's just one example.  What's really the problem for data security vendors? In my view, the problem is that we don't look at data security holistically. We look at parts of the problem. We even get so myopic as to look at "data at rest" versus "data in flight" encryption around block storage - which is only one little part of the data storage ecosystem. And consequently, data security breeches or potential data security breeches continue to be all over the news (uh-oh).

So what's the answer? It's time for data-centric security to become mainstream. How does it get there? It gets there by looking at data as a resource accessed within a "context". That context is the relationship between who the user is, what the user normally does, and the nature of the data. I've used data here because I think it doesn't necessarily require an application that can understand "information" - the data source and a few things about the data is enough to operate on, and this doesn't require as many processing resources. We have pretty sophisticated classification solutions on the market - e.g. Abrevity, Kazeon, Mimosa, StoredIQ, and others. It only takes a subset of their functionality to step up and deliver a deeper understanding of how data is being used in the enterprise. It has been ages since the introduction of IDS and even IPS systems. In my view, recognizing what data is being used, who it's being used by, and how it's being used is a natural next step. It's just a wonder it is taking us so long to get there. The good news, there's innovation going on in this space, by the likes of Varonis, the information classification players already mentioned, and file virtualization vendors like Njini and Attune Systems.

I think this type of solution merits a new solution category. Watch the Taneja Group site for more to come in the near future.

In the story linked above, with a real understanding of how data was being used, and where it was being moved to (does anybody even know in Blear's case?), then an uh-oh might have been avoided. So muck about with your encryption and key management all you want - that stuff's certainly important and critical, but until you get a real understanding of your data, namely context, then encryption alone isn't going to do it for you.