Monday, November 21, 2005

imho Why don’t we have increasing mandates in security and privacy


Fro: gav-

Mandates are seismic waves that propagate throughout the striated distributed medium of modern e-business.

Mandates pierce the clutter and introduce changes across many layers, causing some shattering of the landscape, some mass evacuations, some inevitable terror and confusion. But mandates aren’t so scary when we see them coming from a long distance and can make plans. And they’re not so terrible when we’ve had a hand in shaping them. Any democratic system—laboring under a legislative/regulatory mill with full, extended public comment—meets those requirements. And any federated democratic governance structure—in which the ploddingly slow jabber-mill gets refracted and damped by endless cross-negotiations—absorbs such universal shocks so well that we barely see the chandeliers swing when the ground eventually does decide to hiccup.

We have had increasing mandates in security and privacy for several years now, and it’s only going to continue. In fact, every mandate that comes down the pike seems to concern security and privacy in various degrees—in the US, SarbOx, HIPAA, GLB, FFIEC, CAN-SPAM, etc.—in various US states, equivalent and/or consistent legislation/regulation—in other countries, same sets of concerns, different mandates.

Every mandate is a new source of “thou shalt comply” commandments on enterprises and service providers. Of course, there are as many “thou shalt comply” religions as there are governments, agencies, laws, and bosses upon the face of the earth. To the extent that you operate worldwide—or even in a single region—how can you effectively comply with requirements that issue from so many rule-gods, who don’t always talk/agree with each other up in the clouds of olympus, and who are changing their god-minds independently all the time? To the extent that all these rule-gods “federate” (i.e., agree to respect each others’ jurisdictions, honor each other’s decisions, and harmonize their respective approaches), your job (the haplessly hopelessly pliant and compliant clay/mud at their feet) is easier.

Compliance is the capacity of responding effectively to mandates. Mandates are imperatives issued by authorities. Authorities are the administrators of domains. Domains are the perimeters within which various human activities are conducted, administered, and regulated. Domains are more multi-dimensional than the hyper-mega-universe imagined by Stephen Hawking. Security/privacy domains can be defined as environments in their own right, or as strata within domains constituted on other grounds (e.g., management domains, orchestration domains).

Security/privacy, by forming part of every domain’s landscape, rocks the foundations of everything. Mandates introduce more fault lines into that bedrock. Federation takes those fault lines and arranges them into patterns that will do the least damage to domain perimeters, when the global shock waves eventually hit.

Mo’ metaphors, please.