Comment on comment about comm…. ah you get the picture

Jun 2nd, 2007

Comments: 1
Category: General Security

Comment on comment about comm…. ah you get the picture

IT Security, the view from here: Comment on comment about comments.
ok I think that Rob and I will need to agree to disagree about this. I think that I’ve been talking at cross-purposes with him a bit initially here but I will say that I probably still don’t agree with him.
The idea of data classification is a great one, in theory, but I’ve just not seen companies be able to implement and manage it at all well. The main problem is the support of products. That’s got to be in place before you can begin to classify your data properly (in my opinion) and unless it’s an industry standard in the early days it can’t work as you’ll not be able to apply it across all information repositories, at which point you’ve got holes in the protection provided.
In addition to support of products is user buy-in. What’s the selling point to an end-user department in a corporate for the additional overhead for them to classify all their documents?
On the point that Rob makes, about DRM not being involved in data centric security. Well, sounds like my misunderstanding. From reading the Jericho stuff which mentions DRM in it’s “commandments” about data-centric security and Hoff mentioned it in his oringial post, so I obviously got the wrong end of the stick, although without DRM I’m kinda curious about how you stop a system which either doesn’t understand your classification or deliberately tries to bypass it from reading data to which it’s not entitled…
To close on this a couple of experiences I’ve had with Data classification and marking. I wrote some policies for a UK corporate on this a couple of years back and I remember going round the table and everyone adding stuff in about double-enveloping and all that other good information marking stuff, and just hitting intractable problems about things like how you classify data on things like E-Mail and MS Word which realistically everyone uses and also realising that to make this work is to ask a lot from a load of users who don’t and don’t want to understand anything about security. Now maybe products will come along which make this all really easy and transparent to the users but, well I remain to be convinced…


  1. Rob Newby June 2, 2007 at 7:55 pm

    I think we’re still talking at cross-purposes on some points:
    1. What DRM is and isn’t:
    a. DRM is one part of data-centric security
    b. DRM is not ALL of data-centric security, only a small part.
    c. DRM is very hard to achieve with technical controls.
    2. Data-classification:
    a. Is the beginning of data-centric security
    b. Is not the end of data-centric security
    c. Has nothing to do with DRM (yet)
    When you say “I’m kinda curious about how you stop a system…” etc. Go back to Hoff’s original post. The Crossbeam boxes do the work for you. They identify the devices, by MAC, user, etc. and make a decision as to what level of access you are allowed. The data is already marked with the level of user that is allowed to access it.
    I wish I could make this simpler to understand. The fact is I’ve spent 10 years studying it and don’t pretend to understand it all myself!
    I’m sorry to kick you in the first place however, you seem to be a genuinely nice guy. E-mail me if you want further debate offline…

Add a comment

Your email address will not be shared or published. Required fields are marked *