Information Monitoring: Surveil the data not the people
October 25th, 2004 | by ian |Thanks to Pacanukeha for his comments on “Go with the flow…“, they give me the opportunity to clarify the argument for compliance monitoring. The misunderstanding is probably the fault of the atrocious title of my post, therefore I have changed it – ah, the wonders of the blogosphere, where post publication revisionist history is in the hands of the author!
Complement, NOT replace
Pacanukeha says: “Can’t say I agree with you. ACLs will be with us for as long as there is a need to control how information can be changed. In addition, I don’t care, but some people don’t like others knowing their financial and medical details.” In fact I argue for complementing a permission based (ACL) approach with intelligent monitoring. To give full credit where credit is due, I am supporting John Udell who made the following arguments: ACLs don’t scale, accountability does. He followed up with his more detailed article Access control, monoculture, and accountability. To continue to give credit where credit is due, Dan Geer seems to have inspired Jon Udell’s musing on this subject with this keynote speech at the SIMC (Securities Industry Middleware Council).
Information Leakage
Pacanukeha says: “A decent ACL & service agreement covers both casual and malicious cases.” How do you propose auditing an ACL-secured network for HIPPA compliance, for example? Problems with information leakage tend to happens to the information AFTER the appropriate credentials are supplied, either due to imperfect ACL implementation or those pesky humans who do all sorts of crazy things with information once they access it.
To put it another way, think of what I suggested as complementing a security policy (and the ACLs which are put in place to enforce the policy) with an IDS system designed to watch and log (and notify) in case of policy violations. When it was obvious in the late 90s that firewalls were not flexible enough to adequately enforce security policy, intrusion detection systems (IDS) became necessary.
Surveil the DATA not the PEOPLE
To address fears that a malicious big brother lies in our future, I wish to support Geer (again) in his opinion of the increasing challenge we face in the highly connected world: “To the left, we surveil people. To the right, we surveil data. I’m arguing for data-level file-tracking because if I have to surveil either people or data, I think it’s highly important that we choose to surveil the data, not the people.”
Thanks to Emergent Chaos, a real security expert, for pointing me towards a few of the players in the growing market for compliance monitoring: Verdasys and Vontu (apparently there is another one that starts with V also).