Managing ACLs is not enough

I had an interesting talk with Jesse  (NetPro architect) and Paul (MSFT architect) the other day regarding data classification and access control. The discussion had revolved around how difficult mangaing ACLs in a large enterprise is, and how a central access policy store along with a claims-based authorization scheme would simplify the problem. Paul and Jesse raised some interesting points regarding ACLs and high-business-impact (HBI) data.

First off, the idea of designating a share or a folder as HBI is a very loose mapping. You can't guarantee that only HBI data is placed in the share or folder, and conversely, you can't guarantee that no one will store an HBI file in a share designated as low business impact. You can establish an administrative policy, but there's no good way to enforce it. So even if you manage ACLs properly on HBI your shares, your claims about the security of your HBI data only goes as far as you can trust the people to manage the data properly.

And secondly, just because you can control access to the container of the HBI data (the file), from a risk management perspective, what you really need to control is access to the HBI data itself. You can lock down access to a file, but once the file is opened by someone with legitimate access, there is no control over the data. The user can cut-and-paste it, email it, photograph the screen, etc. That's where DRM technologies come in.

Sigh, another technology I need to get up to speed on...