Friday, 1 June 2007

A kick in the teeth

Obviously SOMEONE didn't read my plea yesterday, so I will repeat: "please, please, please, think about what you are writing before you bombard us with rubbish". Anyone titling a piece of writing with something this negative is obviously after a scrap, so, as I also said yesterday, bring it on.

Rory McCune cites Chris's (Hoff) article from this morning about data security. An article which is one of the most well thought out, well presented and well explained that I've ever read on the pages of this network. An article which made me feel happy, it has network diagrams and everything.

That happiness has all gone now, turned into bitter bile (by a thoughtless reactive post - much like this one), which I now present to you for digestion. (Urgh, sorry to be so biological.)

"One: there's no widely agreed on DRM open standard that companies are applying now. "

1. It was a theoretical argument, but if you're going to be picky, so am I.
2. It really doesn't need it though does it? If you are applying classifications to the data, and you have a Crossbeam box (not that I'm marketing Crossbeam, but this is what the post was about) between user and data, the box, as Chris says, can make the intelligent decision based on the device, which is presented to it, and the data it is trying to access, which it knows all about. That's why there's a rule set. It's all there, the device just has to be tied to a user. Just like you should be as punishment.

"Two: More importantly the idea of assigning security levels to individual data items or collections of data items seems really un-manageable to me."

1. It's lucky you don't have to manage it then isn't it? That's what we have computers for.
2. Tell this to Njini who are running a whole business on this premise (and doing quite nicely too).
3. Tell it to EMC, Hitachi or NetApp for that matter. Guys, you're getting it wrong, Rory said. It's really hard.
4. Tell it to the military, Biba, Clark, Wilson, Bell and Lapadula. I KNOW you have a CISSP hidden somewhere in that brain of yours, maybe dust the books off and have a read?
(5. Tell it to Hoff, far scarier to deal with. The ginger ninja will have his own way with you though, of that I'm sure.)

Oh god, I'm getting angry just sitting at my desk. Time for a coffee break tranquilizer.

"Three: Data-centric security has been trialed recently in a large multi-company multi-system environment that everyone's heard of and it's been a complete disaster, which is DRM on music files."

1. This is an argument about economics. I'd like to hear Jon Robinson's take on this.
2. A private network is typically trying to restrict access, therefore availability, and increase confidentiality and integrity. Your example is trying to increase availability, whilst keeping confidentiality and integrity, which is next to impossible. Did you ever study security?

I could go on, but I'm sick and tired. I KNEW this would happen.


Rory McCune said...

Hi Rob,

Thanks for replying (although I almost missed your comment no trackback!). I must say I'm a bit dissapointed, in that I thought I raised some valid points in a reasonably constructive way, but you seem to have annoyed you a bit.

Allow me to respond to your points

1. How do you mean I don't have to manage it? My role is at a corporate and one of the challenges I see in corporates implementing this kind of security is that with not standards it'll be impossible for it to work

2. You've not really passed on anything new to this. Again in many companies I've worked with the idea of getting users to understand and manage security rights has caused a load of problems and I think that anything else which adds to that burden is probably a non-starter.

3. Didn't think I said it too hard. Wouldn't you agree that the only DRM usage (music files) that has had widespread take-up has been, in my opinion, a disaster. Now I'm not familiar with EMC etcs DRM products and how they solve these problems, perhaps you could tell me more about that.

4. Sorry I've NEVER seen those models of security used outside the military and the police. Modern corporates in my experience all use DAC style because there are no products which are considered manageable which implement those pieces.

Yes I have studied security for many years thanks. Just because I don't think that one direction that people are going in for security is the best doesn't mean I'm anti-security. What I've found however is that companies are focused on having information available to make business decisions and any security measure that makes that difficult/impossible is not one which will see wide adoption.

Rob said...

Sadly blogger doesn't provide TrackBack, it's one of many weaknesses which is driving me towards WordPress shortly.

I will address these points in a new post as I think they are worth consideration. Not now however as I'm heading down the coast for a long weekend...