Typically, I come down on the side of "sufficient protection" when debating what type of authentication mechanism to employ in a given security scenario. Up until now, that meant that I felt that passwords were a fairy robust vehicle for protecting data. However, a recent ruling determined that passwords alone were insufficient protection to preserve trade secret information. In other words, data placed in a directory secured by passwords was found to not be sufficient protection to preserve trade-secret status. In this instance, the judge questioned why other measures weren't taken - e.g. data labeling, confidentiality notices, etc.
In context, I agree with the ruling. While what the judge said is true (e.g. that the employees of the firm needed to be advised of data confidentiality,) I'm concerned about the precident and how the industry will react. The judge said in his ruling, "[r]estricting access to sensitive information by assigning employees passwords on a need-to-know basis is a step in the right direction". "a step in the right direction" but not "sufficient." What is sufficient? A confidentiality label at the bottom of the screen? I don't think that will cut the mustard if passwords don't...
This is just the kind of thing that a unscrupulous company could spin into a FUD-fest to try to sell two-factor products.
Posted by Ed at April 15, 2005 11:33 AM