My colleague Alex Cullen recently released a report for Enterprise Architects called \u201cThe Top 15 Technology Trends EA\u00a0Should Watch,\u201d which describes some of the key technologies that will have the greatest impact over the next three years through 2012.A key security trend, one which I was interviewed for, described how security will increasingly move from being perimeter- and container-centric towards being data-centric. In other words, while perimeter security, network access controls, and other security measures will continue to be important, the decreasing importance of\u00a0physical locale and\u00a0networks will inevitably mean that the data must increasingly protect itself.Now, this prediction isn\u2019t exactly new \u2014 some noted security professionals have been making the case for data- and information-centric security for a while. And in 2000, while at @stake Dan Geer and I were retained by a Very Large Investment Bank to explore this very question. Some of the things we predicted \u2014 more use of client-side cryptography, network admission control, bandwidth throttling based on device\u00a0\u201ctrust\u201d\u00a0and user authentication assurance, and enterprise digital rights management (eDRM) \u2014 have made their way into the mainstream. (Not all have, to be sure.) Many, many others, in the field have made similar predictions.\u00a0Three things have changed since the early 2000s that have moved data-centric technologies to the forefront. First, as an industry we have lost our\u00a0\u201cbetter living through cryptography\u201d\u00a0religion. Enterprises don\u2019t believe in cancer-curing, globe-spanning PKI schemes using enterprise certificates whose trustworthiness are absolute, and whose pedigrees come from God (or Stratton Sclavos, if you prefer). Instead, PKI has yielded to\u00a0\u201cpki\u201d\u00a0\u2014 smaller, point purpose uses of crypto that are integral to solving specific problems, such encrypting laptop hard drives or protecting offsite backup tapes. Cryptography continues to underpin some of the most important security technologies around,\u00a0but it is now rightly seen as a means, not an end.Second, enterprises have new tools to help them automate classification and filtering tasks. Data leak prevention (DLP) is a good example.\u00a0Enterprises don\u2019t have time to burn static security labels into their documents. But if a smartish system can make reasonably decent decisions about information flowing through and exiting company networks, devices, or operating environments, security controls can be applied when needed, rather than when the IT admin gets around to it. The ability to dynamically assign security classifications to information as it is created is better than the alternative.\u00a0Third, and perhaps most important \u2014 data security is less and less a\u00a0\u201csecurity thing.\u201d\u00a0The objectives of data security have been winding their way up the stack from network zones and server access control lists to Layer 7 and beyond. Product categories that have historically been siloed, such as DLP, eDiscovery, and enterprise search are starting to merge. Stakeholders other than IT Security increasingly have a say in how data security policies for DLP are created, for example. And the most successful eDRM projects are usually led by business divisions who have their own priorities to protect: inside counsel, the M&A due diligence team, or the research division.\u00a0As Alex notes in his report,\u00a0\u201cwith content security controls in place, businesses can share data more freely while keeping it secure.\u201d\u00a0Sponsorship and operation of data-centric security tools\u00a0are key success factors.Data-centric security: finally, we are beginning to put the\u00a0\u201cinformation\u201d\u00a0back into Information Security. I'd urge you to read Alex\u2019s\u00a0excellent report. Data-centric security is just one of the big technologies he touches on. If you found this post riveting, read his report for 15 times more rivets!