Re-imagine Security

Security? As said previously, cross out “security” (wherever you have been using the term) and substitute “availability” or “confidentiality” or “integrity” or “authenticity” if you want to get your point across.

I’m now considering adding “personnel protection.” We take it for granted that there are others (police, fire, military) who are responsible for protecting the personnel with access to information. That may be well addressed and, therefore, a closed subject. Nonetheless, it deserves its few minutes of confirmation.

Recognize that there is a common language meaning to the word “security” as well as a technical usage of the term. Re-use of language in this way obstructs clarity. Re-defining words separates the speaker from their audience. Operational definitions (sometimes introduced with “in the following, I will use the term such-and-such to mean …”) are used to slip statements in without awareness, justification or comprehension.

During Winn Schwartau’s presentation at the InformationWeek Dark Reading / Black Hat virtual event (December 9, 2009), we have been warned that RF interference could become a problem for artificial limbs. Picture persons with even short range devices causing Denial of Service problems for a person with an artificial leg. When bioengineers are asked what they were doing to secure these devices, they purportedly responded with “We’re trying to make them work. We don’t have time to add in security.” On the other hand (oops), adding in availability and integrity are part of the reliability problem they already consider part of the “making them work” problem. “Is confidentiality being neglected?” would be a more useful question to pose than “What are you doing about security?” [That’s Winn Schwartau of The Security Awareness Company and Simply Security (with Winn Schwartau).]

Do practice threat modeling.

Don’t blame users. While a certain amount of responsibility is in the user’s hands, making it difficult to be irresponsible is an informed design goal. If you leave a glass near the edge of the table, where someone can knock it over, what went wrong? What could be done differently?

Don’t let marketing define your system view. Marketing introduces terms to differentiate their product from competitors. Take, for example, “web application firewall.” In what way are these products firewalls? I realize that there is precedent for using the term “firewall” loosely.

See Web Application Firewall (WAF)

Compliance. Don’t let regulatory compliance define your information security

confidentiality (as well as availability, integrity and authenticity) decisions. The measures defined in regulations specify minimal assurances. Legislatures, regulatory agencies and industry organizations cannot define a “one size fits all” set of measures that will accomplish information confidentiality. At best, a set of of generalizations can be written. Neglecting these generalizations can establish irresponsible behavior, but you would still be irresponsible if all you paid attention to was regulatory compliance.


Comments are closed.