Monday, February 15, 2010

the true nature of security

what is security

security can mean many things to many different people. have you ever wondered why that is? do we examine what security is and what the nature of it's relationship is to other supposedly related topics or do we simply build upon a foundation of an instinctual gut level feeling about what is and isn't secure? for me (and others like me) it has traditionally been the latter, but i'm about to do the former and take you, the reader, with me.

i'm going to try and lead the thinking a little bit. try to complete these sentences:
i don't feel _________ online without an anti-virus.
i don't feel _________ online without a firewall.
i don't feel _________ doing online banking without SSL.
now if you're reading this blog there's a good chance you see the world through security-coloured glasses and likely answered "secure" for all 3 questions. unfortunately, while seeing the world through security-coloured glasses has no doubt served you well over the years (i know it certainly has for me) the fact is that it's still a distortion of reality (regardless of how useful it may be). i want you to think about basic human needs. i want you to think about someone who isn't as security conscious as you are - in fact someone who isn't even technologically sophisticated. think about someone who's afraid to go online and tell me how you think they would complete this sentence:
i don't feel ________ online.
if you guessed safe then you get a gold star.

so to start things off, security is related to safety. this is demonstrated by what i consider to be the best answer to the "are mac's more secure" question - that being they're safer but not necessarily more secure. clearly we're expecting security to help us meet our basic need for safety. there is a school of thought that says everything we do represents a strategy for meeting our basic needs (even altruism is said to come from a need to contribute). therefore it can be said that security is a set of strategies for meeting our basic human need for safety. notice, however, that i did not say it was the set of strategies for meeting that need - as the answer to the "are mac's more secure" question indicates there is more than one path to safety.

i'm going to make an aside here and address something that may be a sticking point for some people. when i talk of strategy here, i'm not talking about the kind of stuff sun tzu would dream up. there's an entire spectrum of strategies, going from the primitive all the way up to the complex. the kinds of strategies people employ day to day are often not arrived at through deep thought, but through trial and error, growing organically as the need arises. that being said, sun tzu does have a lot of wisdom that can be applied to the analysis and formulation of strategies once one undertakes to purposefully modify their strategies.

regulation vs. privacy

two other topics that seem to often be associated with security are regulations and privacy. in fact i recently came across the unusual juxtaposition of "regulation vs. privacy". why do i think that's unusual? well look at it this way - both seem to be related to security so it stands to reason that they are both approaches to meeting our need for safety - so why should 2 things that are meant for the same purpose be at odds with one another? to understand that i think we need to delve deeper into what they are and how they fit together with security.


at a basic level, what are regulations? they're really just rules that individuals or groups are expected to follow. they don't really do much for us all by themselves, though, do they. i could make a rule that says everyone must wear a green shirt but it would be meaningless. i have no way to enforce it. even if i found a way to enforce it, i wouldn't have the moral authority to do so. there we have the key to understanding regulation. it's one part of a bigger whole. you can't just have rule makers, you need enforcement as well, and the authority to do so or society will rebel against you. the most straight forward examples of rules and enforcement are laws and police. together we generally consider the lawmakers and police to be the authorities and as such we can say that in security circles when we talk of regulation what we're really talking about is a class of strategies for meeting our need for safety called authority.


so is privacy also part of a duality like the regulation/enforcement example above? if it is i can't really see it, but i can see how it represents something more general. in fact, using a mac (or any other alternative platform) for improved safety is also an example of the same thing. think about what you're doing when you're keeping something private - you're hiding it from the public, you're obscuring it from vision. now think about what you're doing when you use an alternative platform like the mac, or alternative browsers or other software - rather than using the most popular thing, you're using something that's more obscure. thus it can be said that obscurity is another class of strategies for meeting our need for safety.

putting the pieces together

now that we have a few pieces, let's see if we can put them together into something coherent. coming from a strategic point of view, when we're trying to maintain our safety while dealing with an opponent there are a few broad categories of things we can do.
  1. first and foremost we can neutralize the opponent before s/he can attack us. this is the role that authority plays. we make rules of conduct (either formal or informal) intended to maintain our safety, identify those who violate those rules (to determine who our opponent is), and then try to sanction them in some way to keep them from violating those rules in the future (neutralize them before they can attack again).
  2. next we can harden ourselves against attack, make ourselves invulnerable or at least minimize the impact of an attack that is launched against us. this is the role that security plays. we set up roadblocks, we try to identify where our vulnerabilities are and fix or cover them, and generally try to shield ourselves.
  3. finally we can run and hide. as much as we may dislike the notion, sometimes our other efforts aren't good/effective enough. this is the role that obscurity plays. by making ourselves more difficult to target we in effect make ourselves less likely to be attacked.
at this point it seems that not only do authority, security, and obscurity fit together rather nicely, there also doesn't appear to be room for anything more; with the exception, perhaps, of recovery for when everything else fails. but recovery doesn't preserve safety, it doesn't keep you safe from harm and so is not really related in that sense.

for the 6 year olds

a quote often attributed to einstein goes as follows:
if you can't explain it to a six year old, you don't understand it yourself.
i happen to think that's a pretty good yardstick for measuring understanding so how can we explain this in terms a six year old can understand? my tendency is to relate it back to antiquity, to a fanciful time that most children (in the western world at least) are familiar with and probably fantasize about to some extent. i would say that authority is like the sword we use to strike down our opponents with before they can strike us down, security is like the shield or armour that keeps us from harm when our opponent does strike us, and obscurity is like the hiding place we use when the sword isn't sharp enough and the shield isn't strong enough.

one other thing i would do, of course, is use pictures.

regulation vs. privacy revisited

getting back to that question of why these two different things that are supposed to be for the same goal are at odds with one another, i think there are two main reasons for this. the first is the obvious; our opponents have the same basic human need for safety as we do so our respective efforts will certainly clash to some extent. the second reason is more subtle. notice that when we speak of regulation we're addressing only one half of authority - rule making. i think we take enforcement for granted. i think we focus too much on the making of rules and so when authority fails we think we need to make new rules (not unlike the old saying "when all you have is a hammer, everything looks like a nail"). what happens next is that those new rules often confer greater powers onto enforcers, and that opens the door to abuse. this single-minded focus on regulation over application is dysfunctional and can hurt us just as easily as it can help us. greater powers, like the sword of damocles, loom over all our heads not just those of our opponents.

information security

if you've had a growing sense that something was wrong, that all of this seems to not quite fit with the notion of information security somehow, then you'd be right. after all, information is just ones and zeros, bits and bytes. you can hide a bit you can't harden a bit against attack - and for that matter, attackers don't generally attack information, they steal it.

so what's going on? well, what do attackers attack in order to steal information? the systems which store, transmit, and control access to that information. in other words, information systems. what these systems do is obscure information, but the systems themselves can be secured in their own right. strategies need not be used in isolation from one another and this is an example where both obscurity and security are combined. indeed, both are generally considered to be within the realm of self-defense and so can be practiced by the widest array of individuals and organizations. we call it information security, i suspect, for much the same reason you likely answered "secure, secure, secure" to the questions at the beginning of this post - because we look at the world through security-coloured glasses. data security is a further bastardized version of this.

security folks don't like obscurity very much, they often say that there's no security through obscurity and even in this framework they'd be correct - but there is safety through obscurity. we can tag data, make it self-describing, etc. but it can never defend itself because data is not an actor. systems through which it is accessed may defend it based on whatever protection-specific information is present, but that's the system doing the defending, not the data itself. encryption probably comes closest to securing data in the sense of hardening it (because it does seem like we're doing something to the information itself), but still the data is just inside an encrypted envelope and the only security present is in keeping the decryption key secret (hidden/obscured).

the true nature

so it seems that i've gone through all this just to say that security is one of 3 different classes of strategies (along with authority and obscurity) for meeting our basic human need for safety in some fashion or another. that presents us with an interesting opportunity to talk about the state of security because in this context what we'd really be talking about is how effective our strategies are. if we find them wanting, that further begs the question how can we improve them, and then we're in the realm of purposefully modifying our strategies to achieve something closer to the optimum state. we should also be better able to recognize now the roles of authority and obscurity and how those strategies too can be put to use for our real goal of safety.