Skipped out of town for a much needed vacation Friday, and spent the weekend in a very remote section of desert. I spent my time hiking to the top of several peaks and overlooking vast areas of uninhabited country. I rode quads, wandered around a perfectly intact 100 year old mine shaft, did some target practice with a new rifle, built giant bonfires, and sat around BSing with friends. A total departure from everyday life. So I was in a semi-euphoric state, and trying to ease my way back into work. I was not planning on delving into complex security philosophy and splitting semantic hairs. But here I am … talking about Quantum Datum.
Rich’s Monday FireStarter is a departure from the norm for security. The resultant comments, not so much. Cloud, SaaS, and other distributed resource usage models are eviscerating perimeter based security models. For a lot of you who read this blog that’s a somewhat tired topic, but what to do about it is not. You need to view Rich’s comments from a data perspective. If the goal is to secure data, and the data must be self-defending because it can’t trust the infrastructure, what we do today breaks.
As is his habit, Gunnar Peterson succinctly captured the essence of the friction between IT & Security in response to Mike’s “Availability Is Job #1” post:
I agree that availability is job 1, its just not security’s job. We have built approx zero systems that have traditional cia, time to move on.
And we fall back into the same mindset, as we don’t have a mental picture of what Rich is talking about. The closest implementations we have are DLP and DRM, and they are still still off the mark.
I look at traditional C-I-A as a set of goals for security in general, and attribution as a tool – much in the way encryption and access control are tools. Rereading Rich’s post, I think I missed some of the subtleties. Rich is describing traits that self-defending data must possess, and attribution is the most difficult to construct because it defines specific use cases. Being so entrenched in our current way of thinking limits our ability to even discuss this topic in a meaningful way, because we have unlearn certain rules and definitions.
Is availability job 1? Maybe. If you’re a public library. If you’re the Central Intelligence Agency, no way. Most data will fall somewhere between these two extremes, and should have restrictions on how it is available. So the question becomes: when is data available? Attribution helps us determine what’s allowed, or when data is available, and under what circumstances. But we build IT systems with the concept that the more people can access and use data, the more value it has. Rich is right: treating all data like it should be available is a broken model. Time to learn a new C-I-A.
Reader interactions
3 Replies to “Availability and Assumptions”
Well, availability _is_ a key concern (apparently one of three!). A secure system that cannot be reached is one of the oldest jokes in the industry.
And yes, operations types do value availability over everything, because they are incented to do so. The corporations they work for value it highly. Either the CISO hasn’t been able to make a case that the C or the I are equally or more important, or maybe they just aren’t.
Rich would have been better to make his point simply as a suggestion of improvement. By offering it in the context of “we need to replace one A with another”, I think he ended up with the wrong debate ensuing.
ds – Every CISSP training course list availability as a key to security. Every web developer is trained to make services available. Look at some of the comments to Rich’s original post and you see that IT being available, seemingly at all costs, is the very job description for some people. Rich is proposing a different model for cloud security when the platform, infrastructure and software is in question. I don’t think he did it as a strawman, and I think this is a legitimate question.
-Adrian
I’m really confused by the premise you guys have taken. Why is it so that because availability is a condition that needs to be upheld that it therefore becomes the primary one? Is this position the result of research or opinion?
You’re doing a good job of building a strawman and then knocking it down, but I don’t see the notion in security that availability is king that your numerous posts on the matter imply.