The Falacies Of Information Security Practice
In information security, there is growing trend toward the belief that network security is the only game in town. Several articles that I have read recently have lead me to believe that most professionals in the field have lost sight of the full picture. Their myopic views are highlighted by the fact that they focus only on computers, software, and networks while bypassing all other aspects that affect information security.
Let's begin this discussion with a primer on information security in general. The true professionals typically think of security in terms of the AIC triangle. A is for accessibility; information is useless if it cannot be accessed by the parties that need it to perform their work. I is for integrity; information is useless if you cannot be sure of it's accuracy. Finally, C is for confidentiality; if you cannot keep your private information private, then someone may use that information against you or others. The AIC triangle covers a great deal of what information security is about, but it does not encompass everything in this changing world of the information age. A security practitioner must also take into account those who do not care about the data, but are more interested in gaining access to resources for use in malicious endeavors.
Accessibility is an oft overlook aspect in information security. When we chastise users about their desire of increased permissions on the network, we are not looking at the problem from the point of view of the business; but from our own myopic perspective of least privilege. Least privilege is a wonderful concept, but it does require intelligent consideration of the situation at hand. You cannot prevent the necessary work from being performed just for the reason of least privilege.
Integrity is far too often given little thought in the modern I.T. world, and has far reaching implications. If a few bits here or a byte there are not accurate, or have been changed, the final outcome can be altered completely. This may seem like common sense, but I have seen all too often the practitioners who do not strive to maintain information integrity.
And on to Confidentiality, the club that is used to beat users on or about the head and shoulders. Our industry grossly exaggerates this vertex of the AIC triangle at the expense of the other two. There are many business cases where confidentiality is in fact harmful to the day-to-day execution of work. I am not advocating that we ignore confidentiality, merely that it must be thoughtfully weighed against the needs of the organization. Keeping your confidential data private is not the only, and probably not the most important, goal of information security.
Beyond the AIC triangle, we have to concern ourselves with keeping our resources dedicated to the uses that they were intended for. Modern Internet based attacks are mostly geared toward gaining control of resources which can then be used against other entities, and not nearly so much toward thwarting the AIC triangle. In the last 3 years at my current position, I have seen 4 compromises of the systems there. All 4 of these attacks left our data untouched and instead sought to use our resources to attack other people and to send out unsolicited commercial e-mail (UCE or SPAM). These types of concerns are not readily addressed in the AIC triangle.
In summary, perhaps the AIC triangle is an outdated concept. I would like to propose a new AICR square, with R being the added control of resources. The proper philosophy in my mind would be to intelligently weigh the needs of the organization against each of these controls and base your time, money, and effort in a manner that is suited to the work being performed. If your organization works with common knowledge, then perhaps confidentiality is not a large concern, but integrity and accessibility are. If your organization works with new intellectual property, then perhaps confidentiality is paramount and in turn accessibility can be allowed to suffer. The basic lesson is this, every organization must thoughtfully balance each aspect of information security against the needs of the organization.
Let's begin this discussion with a primer on information security in general. The true professionals typically think of security in terms of the AIC triangle. A is for accessibility; information is useless if it cannot be accessed by the parties that need it to perform their work. I is for integrity; information is useless if you cannot be sure of it's accuracy. Finally, C is for confidentiality; if you cannot keep your private information private, then someone may use that information against you or others. The AIC triangle covers a great deal of what information security is about, but it does not encompass everything in this changing world of the information age. A security practitioner must also take into account those who do not care about the data, but are more interested in gaining access to resources for use in malicious endeavors.
Accessibility is an oft overlook aspect in information security. When we chastise users about their desire of increased permissions on the network, we are not looking at the problem from the point of view of the business; but from our own myopic perspective of least privilege. Least privilege is a wonderful concept, but it does require intelligent consideration of the situation at hand. You cannot prevent the necessary work from being performed just for the reason of least privilege.
Integrity is far too often given little thought in the modern I.T. world, and has far reaching implications. If a few bits here or a byte there are not accurate, or have been changed, the final outcome can be altered completely. This may seem like common sense, but I have seen all too often the practitioners who do not strive to maintain information integrity.
And on to Confidentiality, the club that is used to beat users on or about the head and shoulders. Our industry grossly exaggerates this vertex of the AIC triangle at the expense of the other two. There are many business cases where confidentiality is in fact harmful to the day-to-day execution of work. I am not advocating that we ignore confidentiality, merely that it must be thoughtfully weighed against the needs of the organization. Keeping your confidential data private is not the only, and probably not the most important, goal of information security.
Beyond the AIC triangle, we have to concern ourselves with keeping our resources dedicated to the uses that they were intended for. Modern Internet based attacks are mostly geared toward gaining control of resources which can then be used against other entities, and not nearly so much toward thwarting the AIC triangle. In the last 3 years at my current position, I have seen 4 compromises of the systems there. All 4 of these attacks left our data untouched and instead sought to use our resources to attack other people and to send out unsolicited commercial e-mail (UCE or SPAM). These types of concerns are not readily addressed in the AIC triangle.
In summary, perhaps the AIC triangle is an outdated concept. I would like to propose a new AICR square, with R being the added control of resources. The proper philosophy in my mind would be to intelligently weigh the needs of the organization against each of these controls and base your time, money, and effort in a manner that is suited to the work being performed. If your organization works with common knowledge, then perhaps confidentiality is not a large concern, but integrity and accessibility are. If your organization works with new intellectual property, then perhaps confidentiality is paramount and in turn accessibility can be allowed to suffer. The basic lesson is this, every organization must thoughtfully balance each aspect of information security against the needs of the organization.
Comments