Thursday, April 24, 2008
Finally someone said it!
I was extremely happy to read this post from Richard Mogull, where he says:"Data Classification Is DeadI know whatâ€™s running through your head right now.â€œWTF?!? Mogullâ€™s totally lost it. Isnâ€™t he that data/information-centric security dude?â€Yes I am (the info-centric guy, not the insane bit), and hereâ€™s the thing:The concept that you can run around, analyze, and tag your data throughout the enterprise, then keep it current through changing business contexts and requirements, is totally ridiculous. Sure, we have tools today that can scan our environment and, based on policies, tag files, but that just applies a static classification in a dynamic environment. I have yet to talk with a customer that really does enterprise-wide data classification successfully except for a few, discrete bits of data (like credit card numbers). Truth is thatâ€™s data identification not data classification.Enterprise content is just too volatile for static tags to really represent itâ€™s value."A few years ago I was advocating the same thing during a discussion with some friends, where I was complaining about how pointless the current data classification policies and procedures are when we think about the current state of applications, data sharing and web 2.0 stuff. I just don't believe that information classification can happen in a dynamic organization in the way that is taught in, let's say, a CISSP prep class. We really need to think out of the box when dealing with the challenges of priorizing security measures according to the value of information.I'll quote Richard again about data classification: "That, my friend, is not only dead, it was never really alive."