I've been reading with great interest the media reaction to the discovery that DRM-free iTunes downloads actually store hidden personal data, including email addresses, about the people who purchased them. As I've said before, DRM is an interesting and useful security technology but it's inherently flawed as a means of protecting intellectual property from piracy. But if you can't stop users making illegal copies of downloads, then the next best thing is to ensure that you can at least monitor your customers' activities.
Interestingly enough, this is a sound security principle, which is rarely exploited to best effect in practice. Monitoring is an excellent compensating control for situations where preventative controls are not feasible, either for technical, financial or commercial reasons. Sometimes it's a better strategy. Back in the Eighties I always believed that that the mandatory access control model set out in the Orange Book was the wrong approach for the Cold War. Because in those days it was much more useful to detect potential spies through intelligent monitoring rather than to prevent them from attempting attacks. But monitoring is rarely at the forefront of people's minds when implementing security. Most security mangers prefer to play it safe by aiming to eliminate, rather than control, unauthorised activity.
But the World is changing. In a highly-connected Web 2.0 business environment, it's far from easy to shoe-horn users into neat categories of access entitlement. In many organizations, more than half of IT users are not employees. It's getting harder to be differentiate legitimate users from the rest of the Internet world. And in such circumstance, blocking user access on the basis of simple models can be more damaging to business than letting it go ahead under a watchful eye. That is unless of course you're the type of security person - and there are many of them about - who would prefer to shoot first and ask questions later.