Rory McCune cites Chris's (Hoff) article from this morning about data security. An article which is one of the most well thought out, well presented and well explained that I've ever read on the pages of this network. An article which made me feel happy, it has network diagrams and everything.
That happiness has all gone now, turned into bitter bile (by a thoughtless reactive post - much like this one), which I now present to you for digestion. (Urgh, sorry to be so biological.)
"One: there's no widely agreed on DRM open standard that companies are applying now. "
1. It was a theoretical argument, but if you're going to be picky, so am I.
2. It really doesn't need it though does it? If you are applying classifications to the data, and you have a Crossbeam box (not that I'm marketing Crossbeam, but this is what the post was about) between user and data, the box, as Chris says, can make the intelligent decision based on the device, which is presented to it, and the data it is trying to access, which it knows all about. That's why there's a rule set. It's all there, the device just has to be tied to a user. Just like you should be as punishment.
"Two: More importantly the idea of assigning security levels to individual data items or collections of data items seems really un-manageable to me."
1. It's lucky you don't have to manage it then isn't it? That's what we have computers for.
2. Tell this to Njini who are running a whole business on this premise (and doing quite nicely too).
3. Tell it to EMC, Hitachi or NetApp for that matter. Guys, you're getting it wrong, Rory said. It's really hard.
4. Tell it to the military, Biba, Clark, Wilson, Bell and Lapadula. I KNOW you have a CISSP hidden somewhere in that brain of yours, maybe dust the books off and have a read?
(5. Tell it to Hoff, far scarier to deal with. The ginger ninja will have his own way with you though, of that I'm sure.)
Oh god, I'm getting angry just sitting at my desk. Time for a
"Three: Data-centric security has been trialed recently in a large multi-company multi-system environment that everyone's heard of and it's been a complete disaster, which is DRM on music files."
1. This is an argument about economics. I'd like to hear Jon Robinson's take on this.
2. A private network is typically trying to restrict access, therefore availability, and increase confidentiality and integrity. Your example is trying to increase availability, whilst keeping confidentiality and integrity, which is next to impossible. Did you ever study security?
I could go on, but I'm sick and tired. I KNEW this would happen.