Intel's use of the phrase recognises the fact that employees, associates and outside agents regularly find ways around our efforts to contain our data and many do so without malice but in order to get their job done. We should therefore recognise this behaviour and manage it, instead of trying to limit or quash it. This is genuinely refreshing stuff from a big name, and is a timely response to David Lacey's call for new standards and security models. The five "laws" in Intel's model are:
- Information wants to be free
- Code wants to be wrong
- Services want to be on
- Users want to click
- Even a security feature can be used for harm.
The full article explains these laws and how Intel has devised new models to achieve security within them, including the "Trust Calculation" to provide an access control model flexible enough to support remote working with a variety of portable devices and locations.
As someone who has been suggesting for a while that compliance does not equal security, and the human factor is much much bigger than most of us credit, I think this is genuinely forward-thinking stuff and I look forward to the Information Security industry's response.