Saturday, May 08, 2010


There is an interesting equation that bedrocks most security frameworks. It states that possession = control = security. The fact that you possess something means you control it and is therefore secure.

If you own a commodity controlling it is possible. This control automatically allows you to develop and implement measures that will secure it from theft. This premise is valid when you apply it to tangible possessions for example cars or jewelry. It however becomes a slippery principle to hold onto where information is concerned because determining the possessor of information is not as clear cut. When distance exists between the info-owner and the custodian then the fundamentals change. This is because when your credit card and other personal details reside in some far away corporate server, ownership of the same is translated differently.

If a company outsources its data functions and uses a remote data centre then some ownership concerns arise. The main fear is that the company’s information is being processed somewhere else and so the aspect of owning, controlling and securing their own data is no longer in their hands. There is also the question of the blurred boundary between absolute information ownership and custodianship. For instance does your bank (through their database) own your personal details by virtue of storing them or do you have a right to claim ownership.

This question is best answered by the element of custody. Information is usually kept by third parties and they are the custodians. This does not mean that they are the owners of the information because transfer of custody does not equate to transfer of ownership in the info-context. Even if your personal details are located in distant servers owned by Mashada or Yahoo, that information is still yours.

These data providers are merely custodians of your info-property. It is also important to understand that the responsibility for ensuring your information is secure is shared equally between you, the owner, and the custodian for example Yahoo. The final essential is that the responsibility for ensuring that the custodian secures your information lies with you - the owner. This essential is applicable irrespective of the geographical distances involved.

In sum the equation applies to information with a small tweak. Custodianship/Possession = Control = Security.

No comments: