IT Security, the view from here: Comment on comment about comments.
ok I think that Rob and I will need to agree to disagree about this. I think that I've been talking at cross-purposes with him a bit initially here but I will say that I probably still don't agree with him.
The idea of data classification is a great one, in theory, but I've just not seen companies be able to implement and manage it at all well. The main problem is the support of products. That's got to be in place before you can begin to classify your data properly (in my opinion) and unless it's an industry standard in the early days it can't work as you'll not be able to apply it across all information repositories, at which point you've got holes in the protection provided.
In addition to support of products is user buy-in. What's the selling point to an end-user department in a corporate for the additional overhead for them to classify all their documents?
On the point that Rob makes, about DRM not being involved in data centric security. Well, sounds like my misunderstanding. From reading the Jericho stuff which mentions DRM in it's "commandments" about data-centric security and Hoff mentioned it in his oringial post, so I obviously got the wrong end of the stick, although without DRM I'm kinda curious about how you stop a system which either doesn't understand your classification or deliberately tries to bypass it from reading data to which it's not entitled...
To close on this a couple of experiences I've had with Data classification and marking. I wrote some policies for a UK corporate on this a couple of years back and I remember going round the table and everyone adding stuff in about double-enveloping and all that other good information marking stuff, and just hitting intractable problems about things like how you classify data on things like E-Mail and MS Word which realistically everyone uses and also realising that to make this work is to ask a lot from a load of users who don't and don't want to understand anything about security. Now maybe products will come along which make this all really easy and transparent to the users but, well I remain to be convinced...


raesene

Security Geek, Penetration Testing, Docker, Ruby, Hillwalking