Ran across a very interesting blog from Neil MacDonald, a VP at Gartner on the topic of extending whitelisting to information access.

The idea of whitelists has been around for a while, notably in A/V and endpoint security products, as a way to ensure that unwanted apps/malware are not allowed to run on a system. Neil extends that paradigm to access to data and information, and proposes whitelists and a "default deny" approach to data and information access. Thinking about this a little, it struck me that the use of encryption technology, with unique keys and access controls, delivers on that thought. In the SharePoint world, the security products we're building do exactly this. They restrict access to information (default deny), allowing access only to those with valid encryption keys.

Neil's original post is here, and it is short, but worh reading.Default deny is a powerful concept for protecting access to information. Implemented as a protection concept for sensitive information in SharePoint, as we're doing here at CipherPoint, it solves the isnider/admin threat issue, and a whole bunch of other security risks and threats as well.

JD