Privacy and security paradigms focus on controlling the flow of information. I wonder not only if this is possible. But if its the right focus. Information precedes action. Now I'm no Bruce Schneier, but perhaps the security industry should be focused more on controlling action than information.I recall a panel on Data at Large at PC Forum, way back in 2003. Jeff Jonas from SRD shared how they were at the frontier of using social network analysis for security in casinos. In hallway conversation, Gilman Louie, then with In-Q-Tel, clarified an interesting tension around homeland security and civil liberties. In a top-down manner you could data mine communications for patterns and profiles to discover threats. Or, from the bottom-up, you could work with a lead to reveal a graph of conspiracy. The latter is much closer to traditional intelligence or the practice of private investors, just with new tools. And with less risk of infringing upon civil liberties.
I recall when we introduced wikis into a bank in London where JP was the CIO. The compliance officer's initial reaction was to demand that he approve every edit before it was posted. Of course we could have developed that feature, and the attempt to control would prevent any collaboration whatsoever. But we showed him the audit trail inherent in a wiki, revision history where you can see who did what at what time. We gave him some smart search feeds for basic monitoring. If someone did something inappropriate, he could prosecute the lead and potentially fire them.
Perhaps the need to know basis has less of a basis than we believe. Perhaps there is an opportunity for security systems to be more effective as a whole system when it focuses on what people do with information instead of controlling its flow.
The compliance officer story is fantastic. I think there are several takeaways here. All apps are not created equal, nor should all security architectures. What is appropriate for a transactional web app is different from an analytics tool is different from a wiki. Security people tend to follow the man with a hammer approach, instead its better to form fit the protection to the asset rather than coming with the same "solution" regardless of the asset. The security architecture of a wiki whose goal is collaboration and knowledge sharing is not the same as a insurance claims processing engine.
Comments