Security Blog

Your source for information security news and views.
Tags >> information


Posted by: Kyle Deming

Tagged in: information

To many, IA refers to information assurance. I really like this term much better than information security since it speaks to the broader concepts of informational integrity and places emphasis on a far-more committed and positive notion - assurance.

However, to others there is an equally important I and A. This is integrity and availability, two of the three traditional goals of security represented by the famous triad c-i-a. For far too long, information security has focused almost exclusively on the "c", confidentiality. In far too many aspects of our modern digital age, integrity and availability are as important or often more important.

I'll never forget a meeting with a retired hospital CEO who scolded me on the destructive influence and operational damages brought by information security professionals who thought HIPAA was about privacy and confidentiality rather than portability and efficiency.

One of the most important lessons I can share about the triad is that these goals are usually competing and at times mutually exclusive. All too often, it's a zero sum game. That is, to get more confidentiality, we forsake integrity. This is a lesson I often share in our CISSP boot camps. When one looks at the early abstract security models, the Bell-La Padula model suggests that for multi-layered security one cannot write data down from a higher level of security to a lower level, nor can one read from a lower level to a higher level (insert graphic). While Bell-La Padula played a vital role in framing our understanding of multi-level security and how a system might be architected to implement these capabilities, it was limited in focus to only confidentiality. BIBA produced a model several years later that addressed the more likely commercial concerns about data integrity. To maintain multi-level data integrity, the BIBA model states that one cannot write from a lower security level to a higher level nor can one read from a higher level from a lower level ??????

What we see is these rules are mirror opposites. What provides confidentiality of information prevents integrity controls, and what provides the greatest integrity controls compromises confidentiality.

This makes sense in the real world too. When we think about trying to make strategic decisions based on confidential information, we have the challenge of adequately vetting the information. If I can tell the whole world we're invading Iraq based on a variety of intelligent sources, we then must disclose those sources. Intelligence personnel are concerned that disclosing their sources will compromise their sources. They fail to appreciate that they compromise the integrity of the source by protecting its confidentiality. How do we review and judge accuracy and quality of information without disclosing the sources for rigorous review?

So, is it information assurance or integrity and availability that we need to add to our agenda? Actually, I think both go hand-in-hand which, when one thinks about it, might be just what we needed.


Posted by: Kyle Deming

Tagged in: information

I just learned some new texting shorthand from my daughters - TMI, meaning too much information.

I also began texting myself for the first time while working the floor at RSA.
So, it got me thinking ....

  • Too Much Information
  • Too Much IP (intellectual property easily stolen over the net)
  • Too Much Infrastructure
  • Too Much Interconnectivity
  • Too Much IP (internet protocol connections)
  • Too Much Indifference

Or maybe it's really about what we don't have enough of?

Has anybody ever used TLI? And that got me thinking that it wasn't just for too little information.

Two weeks ago when I returned from RSA I was both disappointed and discouraged. While the economy may have taken a small toll on the attendance and exhibitors, what really stood out was a lack of imagination. Shortly after 9/11, I heard Richard Clarke use that expression, a lack of imagination. We failed to think outside the box and see many of the obvious threats. When the French built the great Maginot Line, the impenetrable border between France and Germany, they lacked the imagination to see that a German military set on invading France would have few, if any, problems simply going around the wall and entering France through Belgium. My corollary is simply "bad guy cheat", but maybe they also have more imagination.
TLI: Too Little Imagination with all of our other TMI's isn't a good thing!

The industry I saw at RSA lacked imagination. It seemed that just as every other vendor in 2007 realized they had to proclaim they were a NAC solution, this year's required dress was a DLP message somewhere in the booth. Data loss is a big problem. Most forms of computer security touch one or many aspects of data loss prevention. So, if word is out that industry needs data loss prevention, then everybody has it. 

So, while we're struggling with too much information, we seem to simultaneously drown out the creative interpretation of all that information that comes from creative and insightful imagination.

I can take the TMI but the TLI is killing us! What do you think? Feel free to share more than 3 letters.