Blogger: Eric Maiwald
We hear it all the time – “use this technology to secure your information” or “the system was tested and found to be secure.” We also hear it with regard to products – “secure email” or “secure remote access.” But secure from what? Secure under what conditions?
The use of the word “secure” came up again this past week as I read articles regarding the TJX fiasco. The latest information is that the data was encrypted but somehow the intruders gained access to either the encryption keys or to the data when it was not in an encrypted state (see the Boston Globe article for some of the information). So clearly, here is a case where encryption was insufficient to “secure” the data.
But what does it mean to “secure” something? According to Webster’s dictionary:
- Secure (verb): to relieve from exposure to danger: act to make safe against adverse contingencies
The American Heritage Dictionary is a little different but generally along the same lines:
- Secure (verb): to guard from danger or risk of loss
I like the Webster’s definition – “act to make safe against adverse contingencies.” I want all of my stuff to be secure! Of course if there are no adverse contingencies or consequences, there really isn’t too much risk. Wow! A life without risk! That would be wonderful. But I digress, so back to my point…
So, we hear this word from vendors, from technologies, from regulators, etc. But we still don’t know the threat we are being protected from. Maybe the word “secure” is intended to mean whatever we want it to mean. Secure is whatever it means to me, which might be different than what it means to you. Is that a postmodernist mind set? That is a question for another day…back to the topic at hand…
I think that when we use the term, we have some threat, vulnerability, or consequence in mind. For sensitive data, we probably mean that we are protected against disclosure to unauthorized individuals. In other words, the confidentiality requirements are being met. But confidentiality is only one aspect of risk. There can also be threats against the integrity or availability. The intended use of the information could be violated or we could lose the ability to identify who had access to the information (and thereby reconstruct past events).
Mechanisms (in the case of TJX – encryption) often help to manage one type of risk. Encryption can help to manage the risk of unauthorized disclosure. Sometimes, it can also help to identify (and therefore help to control the risk of) unauthorized changes which helps to meet integrity requirements. Of course, encryption mechanisms require a supporting cast of other technology – proper authentication and key management just to name two. Depending on how encryption is used, it can protect us from one risk (unauthorized disclosure from the loss or theft of a laptop for example) but not from another risk (insider release of information). Even worse, incorrectly used, encryption can actually increase some risks (such as the loss of availability of information if the keys are not managed properly). I’ll be talking more about the use of encryption in my Catalyst talk “…But the Information was Encrypted!” on June 28 in San Francisco.
Maybe what we need to do is to properly qualify the use of the word “secure.” We have email that is secure from unauthorized access while in transit. We have remote access that is secure from eavesdropping. We have used encryption to secure our data from unauthorized access if the laptop is lost or stolen. Or perhaps we should not promise actions “to make safe from against adverse contingencies” and talk instead about risk management and the tradeoffs that we must make to manage risk to acceptable levels.
Comments