A great blog entry from Kenneth Belva here in bloginfosec, got me slightly excited. An open debate about data security is something I've been looking forward to. Quite apart from the fact that I've studied his work for years and have a bucket of respect for the guy, I have to continue the debate as it seems to have opened up a few lines of communication with the wider community, and I love nothing more than a good healthy discussion.
Kenneth says "...data has utility. By that I mean that if one cannot do anything with the data there is no value to it." Thus echoing Donn B. Parker's awkwardly named but intricately woven Parkerian Hexad.
The paradox here is that if I completely secure my data, it becomes unusable, so loses it's value, but if I make it too widely available, it loses it's confidentiality and thus the value becomes so diluted that it effectively loses its value... uh?
This is simply because it is a mistake to think of a secure network as giving you secure data. They are 2 very different forms of security. The data can still be widely available on the network, but as confidential as possible. It is this that makes the network so important to secure, because it ensures the data's availability AND utility. But then the data needs to be secure in itself.
There are a couple of issues of paramount importance here, the integrity of the network, and the confidentiality and the integrity of the data. These are the very things we should be looking to secure to ensure our use of the data and the network is safe. I will follow up on PCI Answers with the data disclosure debate later tonight. These are just the kind of conversations we should all be having.