You can take take the "A" out of security, but you can’t take…wait… what?

You can take take the "A" out of security, but you can’t take…wait… what?

Since I haven’t been doing a lot of serious posting for a while, it has been a while since I had an altercation with The Hoff on anything.  But now it is in full swing, and I have to say that I have missed this a lot!

So here’s the deal for those of you just joining the program.  There was an article posted a couple of days ago that said business people were becoming more concerned with availability than security.  I expressed my incredulity here with a very simple and direct question.  I got a quick verification of my point by Mr. Wismer, and I felt I had done my duty in protecting the CIA Triad once again.  I think the first time I posted about this was back in March of 2007, when OpenBSD people were discounting a buffer overflow vulnerability in their code as NOT a security issue.  This simply befuddled me because availability, in my old world, is an inseparable part of security (And Chris, it does mean what I think it means – “old” doesn’t mean we are old, maybe just conservative).  I wrote this off to some people trying to get away with skewing statistics so they looked better on the security reports at the end of the year.

Of course, I could not have been more wrong in thinking that my day of heroic pursuits was done.  First, I got the scalpel from Dr. Chuvakin (I know, I know… he’s not that kind of doctor – but it sounded cool.  And seriously… PHYSICS??).  Then I got drop-kicked by The Hoff on my blind side (which, incidentally, is the direction from which Chris always hits – not complaining at all, he just seriously has a really cool mind that makes him have wonderfully refreshing lines of thought).

So I saw all of this, weighed responding against how much work I had to do so I could have family night with the wife and kids, and I decided to work.  So by the time I got around to hitting back, I really didn’t feel like arguing too much.  But I did a little bit, and that quick quote can be found here. Chris responded and called me a redneck. 🙂  Mr. Wismer entered the fray again. Chris posted about it so it would have better visibility.  Anton presumably has better things to do (I don’t blame him at all).  And one more comment by Chris, and here we are… sheesh…

OK, now that you are all caught up and have read all of the comments and posts with serious interest, here’s my response… What were we talking about?  Oh yeah, information security…

So I thought originally that Hoff missed my point on the first comment he made.  He seemed to think that I thought the “C” and the “I” should come before the “A”, just like all us old dogs with allergies.  Of course, that is not what I meant at all.  I was actually arguing that people keep taking the “A” out of information security (search for CIA Triad on your favorite search engine).  So now this article pops up, and I really got a little peeved. 

Now, as to Anton’s point, this article was from more of a business centered IT magazine.  So I get it from that angle.  Chris even argues from that angle as well.  But still, Chris’ first take on my argument was not correct, and I felt that I needed to clarify that.  I think in some weird way, we were actually agreeing.

But my overall point in all of this is that I think the definition of information security has been skewed as security has been more and more commoditized.  And I don’t necessarily disagree with the skewing because I think the definition has actually become almost all-encompassing and has removed a lot of stovepipes that needed to go away.  EVERYONE touches security now.  From the switch guy to the server gal to the router dude to the firewall chick.  Sure, the “security” group may tell those people what buttons to push, but the “on-the-front-lines” people still push the buttons. 

In the same way, there really is no pure security solution out there now.  Too many products serve duel purposes.  Almost every product, whether it be an application or an appliance, has security built in.  It may be nothing but a marketing gimmick so the word “secure” can be placed on the website, but no one disagrees that it is there.  Take for instance the switch.  Not too many years ago, switches did nothing but push packets.  Now they are becoming an integral part of security through 802.1x and other NAC functions.  Take the firewall and router.  Those two products, at least for the SMB, are becoming a single product.

And because of that, many companies consult on IT practices as well as security practices because you really can’t separate the two anymore.  IT frameworks build in security now (ITIL and COBIT).  Chris says risk management encompasses security, and I see his point.  But my take is that security is the whole, and ALL the other areas are pieces.  Yes, people still code and expect the network to protect the code, but that is becoming less common.  I see it everyday just as you do Chris.  I see people getting pwned due to application vulnerability.  Just ask Jeremiah Grossman and my friend David Nester from HP who is now posting on this blog.

Security has to be thought of almost before anything else.  Have an idea that is going to revolutionize the IT world?  My first question is, “How do you secure it?”  And that means, “How do you make sure it is available while at the same time making sure everyone’s data doesn’t get leaked?”

Vet

8 Replies to “You can take take the "A" out of security, but you can’t take…wait… what?”

  1. “the definition of information security has been skewed”

    I would ask how your definition of IT security addresses information-centric security in terms of CIA? Network security uses devices and systems as user proxies for information security, but some of the issues of CIA is really meant to impact at the data level. How can that work?

    The overall function of IT in general is to make “information” AVAILABLE to support all business actity.

    IT security is a sub-set of IT concerned with WHO has authorized data access (the C for privacy/confidentiality), WHAT is allowed to be done with data once accessed in an authorized way, (Integrity), and a specific sub-set of availability that is focused on keeping systems and networks able to continue to produce the information (the end goal) in a timely, consistent and stable manner, but that might otherwise be compromised by attackers. That area of protection overlaps with IT as a whole, and physical security.

    This debate, as I see it, stems from the simple fact that using an inadequate model of network security to enforce information-centric issues leads to operational issues, eventually forcing one to make choices between C, I and A.

    Just my 2c.

  2. The battlefield has spilled over here too! 🙂 I made a comment on the other thread, so I’ll leave all of that alone.

    1) Here’s a question or two. If a server monkey in the data center accidentally trips over the cable to a critical machine, bringing it down for a few hours (let’s say it damaged the NIC itself), that affects Availability, but is that a security concern? What about when a configuration change that has been approved gets fat-fingered, or a business decision made to change a network path that breaks down some other path?

    I guess my point there is that “A” is shared between security and IT, and IT bears much of the burden of that piece of the triad. That is why there is a skew where security leaves that piece a little bit behind…I wonder how many sec people will talk about paradigm-heated arguments with the operations teams over security measures? 🙂

    2) “Security has to be thought of almost before anything else. Have an idea that is going to revolutionize the IT world? My first question is, ‘How do you secure it?'”

    I really do appreciate and understand that sentiment; in fact, I share it. But we’re an amazingly small subset of the IT world, and likely the only ones asking that question. Business and stakeholders will first ask “Is this a great idea that is viable and something we should do as a business?” And only later once that idea is proven and actually works, will they possibly think about the security of it. It’s the way we program, it’s the way we build things, it’s the way business works. Maybe that should change, but I really truly doubt it will, on any grand scale. On an amazingly simplistic example, would you put on a lock on something that has no value? What if that lock costs money; money which you don’t yet have because that item has no value yet?

  3. Nat,

    “I am not saying availability is a bad thing, but it is a lesser thing when compared to security…”

    This makes me insane. Do you understand how incredibly naive you sound? You just said that it doesn’t matter if a business goes bankrupt, as long as their data is secure. And what do you think “security” is in your terms? It is “C” and “I”. You are saying that “C” and “I” are the most important in any situation, but the “A” essentially doesn’t need to be there. You just shot Information Security in the head.

    I really am not trying to be insulting here, but I just don’t get this argument at all. Think about it this way. If you want to be more cautious and concentrate on “security”, then you are really focusing on confidentiality and integrity (the very thing that Chris Hoff accused me and Kurt Wismer of that started this whole thing). You are making a business decision. It is as simple as that. But what YOU are doing is trying to fit that model into to every situation no matter where you are working. You can do that if you want, but you take the risk of killing a business if that security model doesn’t fit that business model.

    If your model is a university where a bunch of research is done and the database does not need to open to the public, then you can lock it down more and make it available only to the professors and their assistants. But it still MUST be available. It is not a “bad thing”. It is necessary. How available depends on the situation.

    If your model is a business catering to other businesses and your revenue depends on those businesses getting to your data, then what happens when you try to fit your model into that business? You just went bankrupt.

    Michael

  4. In my mind, if security is at the forefront of one’s concerns, one prefers to have something not be available, and be safe rather than to have it available, but open to compromise. When you choose to list the two qualities in one, you’re muddying waters, blurring the lines between these two independent traits.

    In a situation where your system is at risk, do you seriously prefer it to be available? I surely don’t, I want my data to be safe, and the same as it was before the attempted crack.

    Accessability to me is very much the opposite of security, to secure something you must place the integrety of the system above everything. Turning back to the bank analogy, is it better to lock down the building when someone comes in with a gun, or leave the doors open so customers can still come in?

    I am not saying availability is a bad thing, but it is a lesser thing when compared to security, a concern yes, but not of the level of keeping my shit safe. I want a denial of service, not a rooted box.

  5. Security is all about availability. No one wants security to the point that availability suffers – in security terms we call that a DoS (and we can do it to ourselves if security is too tight). If security suffers so does availability. All of a sudden the owned server stops serving, it’s not available, and it’s a security issue. It’s not an either/or situation. You can’t have one while ignoring the other. An insecure highly available system is a temporary state.

    But maybe Nat has a point – maybe security need not make availability a part of itself, but availability had better pay attention to security.

  6. Nat,

    I like the fact that you’re thinking, but your thought process is erroneous. “Physical security” is just a part of the whole of “information security”. You don’t want your physcial server “available” to anyone to walk in and steal off the rack, just like you don’t want prisoners to be available to walk out of the prison. That’s just a silly argument.

    Look, trade-offs are inevitable. I know that, but I don’t think you know that though you are trying to sound like you do. You don’t completely sacrifice data integrity for data availability. If you did, what good is the data? You don’t completely sacrifice availability for integrity. Then the data is still useless because no one can get to it. And you don’t completely sacrifice confidentiality of the data for the other two because then you can’t trust the data. You compromise, but you don’t just kill one of them.

    And the whole fence metaphor is getting old.

    Michael

  7. I really will never understand the foney-bologna nonsense about somehow making availability a part of security. It’s utter nonsense, if security and availability were equal concerns, prisons wouldn’t have lock-downs, nor would banks, air ports or bus terminals. Security is one concern and availability is another, opposing concern.

    One must choose, either you care about your data integrety, or you care about that data being available. They are on opposite sides of a fence, and sitting on it means you’re doing neither.

Comments are closed.