So, we've established the need for Confidentiality, Integrity and Availability in everything we do related to transactions on our network, this is the first thing most of us learn in IT Security. These transactions can be anything by the way, from a financial transaction with an ecommerce site, to logging in to our PC at work, to looking at our bank details online. They all start with a user, use some sort of network, and then end in storage. I like to represent this with a table, thusly:
| Transaction | Availability | Confidentiality | Integrity |
|---|
| User |
| Network |
| Data |
It might not look like much, but think for a moment where you are concentrating your security efforts at present within your network. I'm talking here as though I'm addressing the network administrators, but really it's everyone's responsibility. Everyone who uses a network, everyone who uses the internet.
The security of it is your choice. You can push for change.
If you don't know about the security of the network you are on, why not?
Why aren't you asking the questions?
It's YOUR information they are using, it's valuable to you, and it's valuable to the people using it. You have a right to expect your details to be secure.
If you DO know about the security on your network, most people will still be sticking a pin right in the centre, at the network confidentiality point, maybe to the left and right a little where availability is needed more than ever, and people are savvy to idea of network integrity. This is OK, it's the obvious place to invest after all. But it isn't the whole story.
Let's fill the table in the best I can at present (please note that this is only illustrative, it doesn't pretend to cover everything):
| Transaction | Availability | Confidentiality | Integrity |
|---|---|---|---|
| User | Access Controls | Authorisation | Authentication |
| Network | Wireless, Load balancers | Firewalls, IPS, etc. | Anti-Virus, Change Control Mechanisms, Digital Signatures |
| Data | Access Controls | Encryption | Digital Signatures |
It looks a little strange, doesn't it? Where with user security we have generic terms, with network security we have specific remedies, and with data security we are back to generic terms, except in integrity where I can only think of one solution that is commonly used. I will cover digital signatures and their multitude of sins in my next post.
For now, consider why there are so many solutions for network confidentiality, and the network as a whole... is it because this is the most insecure place? Hardly.
Is it because that's the place from where everything can be secured? Definitely not.
Is it because that's the easy selling point? Aha!
I can draw you a picture on the whiteboard in your office that shows you, or rather the CFO, VERY simply why you and he need a firewall. I can then go to your techies and show them how it's better than any other firewall because it's simpler, more throughput, higher bandwidth, more intelligent, a nicer colour, more complicated, faster, shinier, taller, better looking and better at toasting.
Getting it past the techies is actually the easy bit, any salesman knows this. Getting the attention of the person holding the purse strings is a little harder, the non-technical person holding the purse strings for a technical sale is harder still.
That's the problem with data security and particularly the integrity part. But that's where I am now. Digital signatures, by the way, really don't cut it.
2 comments:
Hi Rob,
When talking about "purse strings" and the need to maintain C,I, and A - one thing that you may want to consider is risk.
Just a thought...
Hi Alex,
I've just been reading your Risk Analys.is blog I think, very interesting stuff. I love the diagram.
Yes, you're quite right, risk is a very important part of what I'm talking about, but not an area I'm really involved in to a great extent. I welcome your feedback in this area however.
Rob.
Post a Comment