This posting is a couple of days late, due to some extremely challenging travel/housekeeping issues going on. Also because of a very low-tech issue involving a 15 year-old boy, overeager to help, and a phillips bit through a hand - but that would be a different diversion altogether.

I am currently in Chicago preparing for a training to help me be a more efficient and skilled technician in the realm of mainframe security. This brings to mind a framing of security in the grand scheme of things.

One would assert that security is an important thing to have on top of data, especially data, and on the surface I would agree. I argue, though, that a separate security functionality on top of data is hampered and half-way executed as well. To be truly effective, security must be part and parcel of the data that is extant in any system.

As an example of this, security has the ability to interrogate and allow/deny access to data, but there is no qualification property to it, by and large. When you seek access to data and it is granted, what security is there behind that? An attempt to obtain information is successful when access is gained to that data. If someone gets access to data, and improperly uses it, it is generally left until a forensic function to determine what was done, how, and by whom.

Truly effective security will include a predictive and analytical functionality so that access may be granted for 'honest' pursuits, but may be denied for those that are not so honest. As an example, if someone is a file clerk and suddenly requests information about staff salaries, as well as staff names, then a red flag could be run up to tell them that they need one, or the other, but not both. Technically they would have access to both types of information as a legitimate portion of their duties, but the combination would give them things that are actually outside the scope of what they do.

I wonder how many systems are technically protected, but forensically exposed. I wonder how much it would be worth for someone to develop an algorithm and taxonomy for data that would allow this type of predictive security. The details are somewhat difficult, but if you succeed in creating such a thing, you may dispatch the royalty checks to my address. All kidding aside, for us to truly protect ourselves, we need to protect against not only content, but also leveraged capability.

As a side note, we also see the problem of needless security. As an example of this, I submit Indiana University. As a public institution, all the financial information there is available to any researcher with the time and energy to track it down through government publications, etc. So, they just opened up the floodgates. While I would not feel comfortable in doing that totally, I do need to give them kudos for realizing that this is an option. Just because our buildings are box-shaped doesn't mean that we can't go outside them.