I read [Joe McKendrick’s column entitled "Network Security: Damn the Hackers, Full Speed Ahead," May ESJ, page 18] and agree with [his] thoughts. But, I do think that one thing got left out. Since logon IDs are imperfect, and everything else is fairly far away, there is more and more of a need to grant things on a business need-to-know basis. That way, if an ID gets compromised, your losses are significantly less than if they weren’t.
This also becomes a huge problem when you are opening things up to the outside world, and your logon IDs are going up by a factorial. It leads one to have bad nights worrying about getting a handle on it. I do think that data classification is one way to do this, but selling that idea in a world where applications get half of their information from one classification of databases and half from a different classification of database is extremely hard to do. This leads to managing access by fields, and that is impossible. Any thoughts?
Patrick M. Dooley, Chief Information Security Officer
Wisconsin Department of Revenue, Madison, Wis.
Thanks, Patrick, for an excellent observation. The more sophisticated Web-to-host tools out there do enable multiple layers of security, and support directory services and LDAP to address some of the complications arising from accessing multiple sites.
However, I’m not entirely familiar with the benefits of data classification. It would seem that the more enterprise application integration we see out there, the more this issue is going to come up. I’ll check around to see what some of the Web-to-host people have to say on the matter. Thanks.