Rational Security: For Data to Survive, It Must ADAPT...
EDIT: I've had a couple of comments on this posting that I was bad mouthing Hoff with this post. Not my intention and I apologise if it came across like that. I actually agree with most of what he says, just not the bit about data centric security/information classification
All this data-centric security stuff sounds really good in principle, but to be honest I'm not buying it, for a couple of reasons.
One: there's no widely agreed on DRM open standard that companies are applying now. For data-centric security to work all systems which process the data have to be able to understand the security meta-data that's applied to it and be able (if permitted) to process it. To be honest I just don't see that happening even in the medium-long term. And without that the idea won't fly. Imagine telling a senior exec that he can't get his board report on his handheld device 'cause it doesn't support [standard X] yet so can't read the DRM-encrypted file.
Two: More importantly the idea of assigning security levels to individual data items or collections of data items seems really un-manageable to me. Take Office/E-mail security at the moment. Ultimately for most corporations the majority of their data will at some time reside in a (MS) Office and/or email format at some time. Now at the moment most companies manage access to that in an incredibly coarse-grained fashion with whole data shared getting assigned to large groups of users and even that is seen as not being flexible enough by a lot of end users...
Three: Data-centric security has been trialled recently in a large multi-company multi-system environment that everyone's heard of and it's been a complete disaster, which is DRM on music files. Users absolutely hate it and have spent large amount of effort bypassing it, it's created a monopoly because of the lack of industry standards and even the record companies seem to be backing off from it...
