Object-Level Security Through Accountability

Doug Kaye reports from the RSA conference on a talk by Dan Geer on the disappearing perimeter. I wish I'd been there. Dan, who's now Chief Scientist of Verdasys, has written a paper on the topic (you'll have to squirt your identity information at them before they give up the goods). In the paper, Dan makes an interesting proposition: "Information security is what distinguishes information that has economic value from information that does not." He goes on:

Security is an economic issue just as quality and reliability are economic issues. While the means to accomplish any of them are technical, the goals are economic. This is rarely said about security, and almost never believed. So much the worse.

Almost any company has some bit of information that is both privately held and crucial, some bit of information that if prematurely revealed or revealed at all would cause irreversible harm. An equity pricing strategy, expansion plans not yet board-approved, the contents of a protein database, corporate succession plans and associated compensation, next generation chip masks, incomplete responses to subpoenas, patent filings in process, customer details acquired under the promise of safe handling, the negotiating position in merger talks, and so forth. For privately held companies, nearly everything about them is not ordinarily made available to just anyone. For publicly traded companies, premature disclosure can be nearly as bad as improper disclosure.

The point is this: We, all of us, already have information that in and of itself represents a corporate asset. The implication is just as clear: The loss of such information assets is a negative impact on the corporate balance sheet, whether we "realize" that loss on the balance sheet or not...
From The Shrinking Perimeter: Making the Case for Data-Level Risk Management
Referenced Thu Feb 26 2004 10:13:43 GMT-0700

Dan is famous for pointing out that accountability is cheaper, less intrusive, and scales better than access control. Put another way, accountability scales linearly while access control scales geometrically. The paper talks about object-level control, but Dan hasn't jumped off the accountability soap-box. The paper is essentially a call for better logging and tracking of actions that might result in information ending up where it shouldn't be. Note that this is in sharp contrast to the Microsoft DRM story that is entirely based on an access control model. Of course, Dan's never been shy about going head to head with Microsoft, even at personal cost.

The paper is well written and full of examples. I find Dan's argument compelling. Its not technical, if you agree with its premise, you could easily share it with the CEO (or even the CIO).