Security and Risk Management Strategies Blog

Blogger: Eric Maiwald

In security, we must understand how we are perceived by the business. What we think is critical may not matter at all to the business overall. We will not learn what matters to the business if we only focus on security vulnerabilities and the latest technology. We need to get out and learn how the business functions and how security impacts it. A recent experience brought this home to me.

I was in the Midwest visiting friends and I had the pleasure of being introduced to a man named Neil. Neil works in the maintenance division of a large agricultural services company. When he found out that I worked in IT security, he launched into a story about two IT people he knew. The first IT guy he really liked. This guy came into the division where Neil worked and helped them get their computers up and running. Neil explained how the computers helped him do his job and how this IT guy really paid attention to how the shop was run. Neil lamented the fact that this “good” IT guy took a job with another company and left.

Neil then launched into a story (you could almost call it a tirade except that Neil didn’t raise his voice) about the second IT guy (let’s call this the “bad” IT guy). The bad IT guy showed up and started changing things. He introduced a new system to track parts in inventory and then found ways to cut costs by reducing the inventory. Neil went into a long discussion about the parts inventory. It seems that his shop has to maintain a lot of equipment – much of it quite old – and they kept a lot of older parts on hand for the simple reason that some of the parts were hard to find. In addition, the mechanics would often only use components of a part if that was all that was really needed and they would keep the remaining components for use at some later time. Neil freely admitted that they were pack rats to some extent but he explained that they hoarded some of the parts because it allowed them to fix equipment quickly and get it back into operation without waiting for a part to arrive.

It is still unclear to me what position the bad IT guy held within Neil’s company (and it really doesn’t matter for this story – Neil perceived him as an IT guy) but he was able to change the parts inventory practice and get rid of a lot of the older parts. This was touted as a cost saving measure and was done without consulting with the people who did the work. Without the parts readily available, the time to repair older equipment increased. Equipment waited for parts to arrive (or in some cases to even be found!) and the overall availability of the equipment suffered.

So why am I relating this story? Neil’s perception of IT is formed by the IT people he interacts with. On the one hand, the good IT guy paid attention to Neil and his coworkers. He provided support for their work and helped them improve the shop practices. The bad IT guy didn’t learn how and why certain business practices existed in the shop. He only saw the potential cost savings without understanding how changing the practices might increase other costs and reduce the availability of equipment.

Who do you want to be? Who do you think your business perceives you to be? We need to be more like the good IT guy in the story. We need to learn how the business functions, what is important to the business, and how security impacts the business.

Blogger: Phil Schacter

Going into this year’s RSA show I had some concerns that the economy and travel budget restrictions would further devolve the show into primarily a vendor networking event. My somewhat lowered expectations were surpassed with a turnout that was only slightly less than last year, and learning experiences that leveraged the time and place of the RSA show as a gathering of the security community. As usual my email InBox was spammed by invitations to vendor-sponsored hospitality events, vendor meetings to discuss show announcements, and information on meetings by various industry groups during RSA show week.

While still dwarfed by Interop, the RSA show is a focused meeting of 10 to 15 thousand security practitioners and is symptomatic of a healthy industry segment, and a community of organizations that recognize the value of keeping current on developments and defenses to protect their information, applications, systems, and network infrastructure. In addition to 30 pre-scheduled meetings with specific vendors there were many other casual conversations and reconnecting with people you haven’t seen since last year’s show, or last year’s Catalyst conference. The overall sense of these conversations is that the market demand for security is strong and growing stronger. Security vendors are growing their revenues during a weak economy. Organizations making purchases of security products and services are negotiating harder and it’s clear that no one is paying full list price anymore.

Nothing revolutionary on the show floor (what I saw of it in between meetings with vendors). Lots of focus on web threat vector, security services in the cloud, hybrid models involving some cloud-delivered pieces, virtualization security, security services that can be hosted in a virtual environment or blade in a multi-function box, and lots of appliances of all manner of description. Many of the established security vendors you’d expect to see, and lots of smaller ones trying to attract attention in the US market – either by finding good channel partners or by attracting a larger vendor interested in acquiring the company and its technology.

I’ve also come to the conclusion that everyone that attends the RSA show has a different experience. Some unique mix of networking, education, and exposure to the commercial aspects of a trade show. The special events that occur during show week include meetings by Concordia Group, Cloud Security Summit, Trusted Computing Group, Mini-Metricon, and others provide an opportunity to learn, interact and get involved. The conference keynotes and educational sessions provide access to knowledgeable experts, but with a heavy dose of vendor messaging. But let’s not forget that this is also a trade show for the IT security industry, and a chance to survey the latest offerings from hundreds of vendors. Finally, and perhaps the best aspect of RSA show week is the networking and cross-pollination of ideas that occurs between security professionals, on both sides of the vendor relationship. It’s an exhausting show with long days, but from my perspective well worth the energy and time investment.

Blogger: Ramon Krikken

This blog post is based on a draft of the U.S. Senate Bill “The Cybersecurity Act of 2009” and the provided by the Senate Committee on Commerce, Science, and Transportation. There are many potential aspects of this to be discussed, but this post focuses on the requirement to “Provide for licensing and certification of cybersecurity professionals.”

If you read the introduction of the bill, it becomes pretty clear why the government is taking this interest. Statements such “[The U.S. is] unprepared to respond to a ‘cyber-Katrina’” and “if the 9/11 attackers had chosen computers instead of air planes as their weapons and had waged a massive assault on a U.S. bank, the economic consequences would have been ‘an order of magnitude greater’ than those cased by the physical attack on the World Trade Center,” are clearly meant to illustrate the clear and present danger that our “cyber-weaknesses” present.

Whether you consider this FUD or fact is a different question, but it certainly is true that part of our economic wellness (and our collective or individual safety, when we look at defense, utilities, energy, and aerospace for example) depends heavily on information technology and the information it stores, processes, and transmits. If the consequences are considered that grave, and the probabilities more than unlikely, it could certainly make sense to require real professionals on the job. Certification and licensing seems like a good mechanism to control this, I’m just afraid the government might get it wrong – good intentions go bad, sacred cows are not easily slaughtered … just like lobbyists.

“The” information security professional does not exist. Just as it takes many different engineers to build something, it takes many different security specialties to get things secure enough. To pretend that the average security professional harnesses all required knowledge is silly – in fact, I object to the notion that security (or at least large parts of it) could be executed well enough without intimate knowledge of that which is being secured. So what certification(s) would be used?

Aside from the specialization, there should also be a consideration of skill. If the consequences are indeed as grave as outlined in the bill, I’ll take the cyber-equivalents of the military and special forces, not the shopping mall guard and airport security, please. So a good percentage of CISSPs –  the ones with only the book-smarts  – are now out of the race (no offense to knowledgeable security professionals with a CISSP – I have one myself, too). And of course, the CISSP was never intended to be the end-all and be-all of critical infrastructure cyber-protection training, but the current overall education and training system does leave me to wonder how this will be executed.

Perhaps we have general practitioners and specialists, like in medicine. Maybe we can have apprentices, journeymen, and masters like in some of the skilled professions.  Would throwing the ISC², ISACA, SANS, and a whole host of other certifications in a blender do us some good? I don’t know the answer, but I do hope the committee(s) will take a real hard look at what it takes to be any type of information security professional in a critical infrastructure protection role.

Blogger: Eric Maiwald

We used to talk about doing business over open networks as the big security concern. In fact, we had a topic by that name at Catalyst 2008. Given the further proliferation of key loggers and other malicious software (that is becoming more stealthy and customized), I think we need to start talking about doing business in completely hostile environments. It is not only the network that is open and filled with eavesdroppers but it is also the client endpoint. Key loggers can capture passwords and other sensitive information unbeknownst to the user. We also have cases of malicious software operating in servers and capturing sensitive information there (see the Heartland case). Where is it that our data is safe?

When I first came to Burton, I talked to Dan Blum (Principal Analyst in SRMS) about what I called “Star Trek Security.” What I meant by it was that information seemed to be free for the taking. If you watch Star Trek, it seemed any time the Enterprise came across an alien ship, the aliens could download any information they wanted (usually by scanning the ship or the database but sometime by pulling it directly out of the crew’s minds). Crew members could gain access to any information whenever they needed to (even if unauthorized) and it was only when some abnormal measure was taken that any data could be controlled. Similar themes are now shown on TV shows like NCIS where superstar agents can “hack” into any database they need to get into or break (or bypass) any encryption mechanism at will. It seems that these fictional situations are not all that fictional.

I wonder if we are seeing the results of too much dependency on preventative controls. No control is absolute and we lived for a long time on the difficultly of circumventing our preventative controls. But as the rewards to breaking or bypassing these controls increase, the level of effort exerted to do so also increases. The end result is that we find our controls circumvented or broken on a regular basis. Defense in depth does not seem to matter nor does compliance with standards such as PCI. Any attempted penetration can succeed given sufficient funds to hand to an employee with access.

Perhaps we need to think about how business can be conducted in this type of world. Rather than concentrate on controlling access to information, maybe we need to think about detecting and limiting the misuse of the data. For example, if I can’t prevent my credit card number from being compromised, perhaps I can detect when an attempt is made to misuse it. This is obviously a simple example and the issue becomes more difficult when we talk about sensitive financial information or trade secrets. But it seems to me that we need to move beyond the idea that we can assume any type of “secure” environment (on the network, on the client, or on the hosts).

Bloggers this week: Eric Maiwald, Phil Schacter, Dan Blum, Trent Henry, Ramon Krikken

This week’s blog post features another discussion between Burton Group security analysts on the new IT reality and how this impacts security.

Eric kicked off the discussion with this thought-provoking list of questions for the team to consider.

 One question we have not asked is “who (which vendor) is best positioned to help our clients in the new IT reality?” The new reality I’m speaking of includes cloud computing, virtualization, consumerization of IT, etc. We know that things are changing and we also are guessing that the economy will accelerate some of the technology changes. We have themes that talk about security organization and about technology (ie. security for data in transit, data stored on mobile devices, and data that is transiently resident in virtualized and cloud-hosted IT infrastructures) but which of the many security vendors (or non-security vendors) is best positioned to help deal with this? And just as important – what makes that vendor or those vendors best positioned? Is it technology? Integration of technology? Services? Services and technology? Size? Stability? What about reach into non-security areas of IT?

I (Phil) piped up with the following comment. Even figuring out what attributes to look for in a cloud vendor, or the related discussion of what terms to look for in the SLA from your favorite cloud vendor will be new and somewhat controversial ground to consider. I recall a few years ago when Microsoft tried to offer Passport as an identity solution for the cloud, and of course it failed – perhaps because of the issue of placing trust in any vendor, especially a vendor that’s always been aggressive in the market, such as Microsoft.

Next, Dan entered the fray with an examination of IT’s shifting reality, and offering a series of insights on how we might measure vendors and their capabilities to help organizations deal with their IT challenges.

Is there a new IT reality? We’ve had clouds and ASPs and SLAs and revolutions against IT and downturns before. However, virtualization is more disruptive than anything I’ve seen since the web and WiFi which are still disrupting, and web services/SOA seems to at least moderately disruptive. Reality is always in the process of reinventing itself but perhaps we do have a bit more of a new reality in IT than usual. I’ll grant you that.

Ok, so you wish to assess which vendors will thrive (and enable customers to thrive) on this new IT reality? It occurs to me that the discussion of the vendors is premature, since we had not defined the yardsticks by which to assess them.

The yardstick might include measures of financial, organizational, market and technological strength for the vendors. In terms of technological strength the vendor must enable customers to provide:

• Web-centric computing
• User centric experiences
• Mobile computing
• Resource dynamism, and
• Fine grained understanding and control of information

These are all things we could attempt to measure. And yet…the ticklish distinction between being some kind of IT vendor versus some kind security vendor (or both), the fact that customers are so different and have thousands of alternatives for how to protect their IT environments, and the long tail phenomena that keeps the market in a structural state of permanent disruption all suggest to me that it may be a futile exercise to try and assess the big vendors in security at this level of abstraction.

Trent was the next analyst to join the discussion.

When you used the word “disruptive,” Dan, it got me thinking. We could have an entire discussion on that alone. My own thought is that the introduction of the personal computer was the most disruptive thing I ever saw—a move from centralized to distributed computing paradigms. Ironically, virtualization plays a role in returning us to centralization once again.

Which vendors actually introduce disruptive technologies or “new ways to work?” It’s never the security vendors, IMHO. Often, technology vendors simply respond to innovation or changing business requirements in customer environments. And security vendors tend to follow even a step (or two, three) behind them. But elements of consumerization, cloud computing, new-fangled collaboration, etc are spearheaded by vendors on occasion. With investments in R&D labs to conduct fundamental research, Google, IBM, Microsoft, and others are not merely reacting to new trends but are creating the vision (and tools) to realize the future. How does this figure into an evaluation equation? (And what does it mean when former research heavies like DEC  or Xerox—whose PARC has been greatly minimized—are no longer as important?)

Ultimately, this discussion has to rise above just security unless we narrow the question to “How are vendors going to successfully help organizations protect information and infrastructure?” But ultimately, that’s just one piece of the larger, “How can IT enable business?” question.

As often seems to happen lately, the last word fell to Ramon.

I’m also inclined to think that the PC was most disruptive from a security perspective. While we used to have a centralized system with a few terminals and printers, the number of inputs and outputs, as well as the complexity and unpredictability of the environment greatly increased with large-scale adoption of distributed computing. And although many of the basic virtualization concepts really don’t differ much from how it was implemented on the mainframe, coupling it with distributed computing complicates things: yes, it does allow a certain amount of centralization on hardware, but increased mobility capabilities through connectivity and hardware in all forms will mean that from a risk perspective this will likely show up as a more decentralized, complex, and unpredictable environment (SaaS, cloud, mobile devices, etc.) It is a potential second wave of disruption to security, but this is one where we’re (security) actually involved in trying to shape the wave.

If vendors only respond to customer demand, then it makes sense that security vendors are at least second in line. After all, few security controls are used as a direct business tool. The exceptions are those systems used by security teams, who are in the business of providing security services (and so this is where, for example, innovation can happen in the ‘GRC’ market or in something like SIEM.) In most other cases I can think of, security controls are a constraint on ‘regular’ business processes, and security vendors will naturally have to respond to what their customers (the makers of the business tools) need.

The unpredictability of the future environment makes it incredibly difficult to assess which fundamental security technologies will work. What seems most difficult at this point is that we have a number of emerging concepts such as consumerization, the cloud, ubiquitous connectivity, and persistent storage, but we have no clue on how, for whom, and to what extent these are going to take off. All of these impact the level of control one has over the environment. The amount of control determines the ease of implementing the trusted path, and the trusted path determines on how well you can implement use control.

Blogger: Trent Henry

There's a lot of cool stuff out there.

I'd known for a long time that my alma mater had lectures and other educational podcasts freely available on iTunes, but late last week I ran across iTunesU (www.apple.com/education/itunesu/) for the first time. A treasure trove of learning materials, one could spend a lifetime exploring anthropology to zoology. (Well, maybe not quite that much content is available yet, but it's on the way....)

Being the faithful Cardinal, I browsed offerings from The Farm and quickly ran across "Forty Years of Computer Science: A Retrospective" with luminaries like John McCarthy and Don Knuth (the latter of whom endeared himself to me when once asked how to pronounce his typesetting program TeX, he answered, "you know you've pronounced it correctly if there is spittle on your monitor afterward.") These are amazing people who have contributed amazing things to computing. And many other lectures in Science & Technology are similarly intriguing.

But then it occurred to me: where's information security?

I poked around iTunes a bit more and found no academic treatment of the topic, although there were a few (non-iTunesU) podcasts on the subject. So I broadened my search a bit. I went to the Open Courseware Consortium (ocwconsortium.org) to see what free college-level educational materials were available for our discipline. Looking at the offerings from member organizations, I found a few courses, all from MIT:

• MIT: "Network and Computer Security"
• MIT: "Cryptography and Cryptanalysis"
• MIT: "Selected Topics in Cryptography"
• MIT: "Advanced Topics in Cryptography"

Given the plethora of other topics, that's an awfully small list. Is this just weird happenstance, or is it a more general indication that information protection isn't given much of a place at the higher-ed table?

I knew that UC Davis's computer security lab and Purdue's CERIAS were strong degree-granting programs, so after researching their sites a bit more I learned about the NSA's "National IA Education & Training Program" (www.nsa.gov/ia/academia/), which maintains a list of Centers of Academic Excellence in information assurance. They reference over 80 programs across the United States. That was comforting. It shows that some amount of educational focus is going on. Still, looking more carefully, I found that although universities like Georgia Tech and Johns Hopkins actually grant degrees, many of the schools only offer courses as a small multidisciplinary extension to other programs.  My concern returned.

Perhaps, like system administration, information protection is viewed more as art than science. Is it OK for practitioners to pursue undergraduate CS degrees with limited exposure to infosec, and then get on-the-job security training over time? Or, just as likely, is information protection well served when someone receives an entirely non-technical degree and then haphazardly finds their way to this field? My own journey was certainly circuitous. I planned to study International Relations and enter the diplomatic corps, but computer science drew me in, and I coupled it with sociology/education to create an interdisciplinary degree (I was going to be all about educational software--it didn't happen). But a stint in network engineering turned me on to security, and I haven't looked back. I don't think my story is all that unique. And I'm not sure this ad-hoc approach is the best way to further our domain.

I'm not saying that all security practitioners should have degrees in information assurance/security/protection/whatever. Rather, I'm arguing that we should call for improved education programs in this discipline, to provide the next generation of practitioners and researchers essential background. In other words, information protection should be taught as a primary area of study. This call is not only to academics; it goes out to the private sector as well. Although the US Department of Homeland Security offers a DHS Scholarship and Fellowship Program (www.orau.gov/dhsed), the only vendor support I could find was Symantec's ongoing Graduate Fellowship program, in which they fund select candidates' research endeavors. We need much more of this type of support from the vendor community.

In short, it's time to put educational resources and rigor behind information protection. It's important stuff. And we should see that reflected in students and practitioners of the future.

(Bonus blog question; Given the ostensible link between information protection and computer science, how many security-related Turing-Award recipients have there been? [You have to look beyond the obvious 2002 award to RSA namesakes Ron Rivest, Adi Shamir, and Len Adleman...])

Blogger: Diana Kelley

At the end of the film "Harold and Kumar go to White Castle," Harold, emboldened by 30 sliders and an evening of raucous adventures in New Jersey, decides it is time for him to face his fears and declare his affection for Maria. He declares his intentions to his friend Kumar, who, perhaps made sleepy rather than energized by the sliders, responds, "still not getting it!"

Like Kumar, it appears that IT is also, "still not getting it!" when it comes to malware. Case in point, the recently published CIO Insight survey reports that while only 12% of respondents reported that money or property had been stolen through electronic means, a whopping 48% of companies reported penetration by viruses, worms, and Trojans in the past 12 months.

48%. Essentially HALF of all reporting enterprises were hit by some form of virus or worm last year. In most cases, 52% success equals failure. And maybe it is for AV - but maybe not. Another data point - 33% reported that their companies had been penetrated by spyware or other malware. Now contrast these numbers with the fact that 99% of the companies spent money on AV/spyware/malware detection in 2006 and 97% plan to spend on AV/spyware/malware in 2007.

Hmmmm, we spent money on AV, it didn't work and half of us were penetrated, so let's keep spending! More must be better, right? Not to mention that many security assessments will mark down an organization for not having AV, the PCI DSS explicitly states AV must be on Windows machines in the payment ecosystem, and the generally accepted rule is that we're better off with AV than without it.

But is that true? Are we better off? What's the real cost of deploying and managing traditional AV products versus their overall effectiveness? Is AV worth that cost? I'm not talking about the standard hand waving of "oh signatures won't work," but a real shift in thinking. If the 52% represents real dollar savings over and above the cost to purchase and deploy the AV and that also outbalances the costs associated with the 48% penetrations - then it could be success from a bottom line perspective. But it might not be.

We know that 99% of the companies in the survey spent on AV last year, and half of them got hit. What we don't know is if that money was well spent. What we need are metrics that study percentage of attack for companies that use mitigating controls (such as perimeter and host firewalls, intrusion prevention and white listing) in lieu of AV and in addition to AV. We need a quantitative survey of the effectiveness of various measures. As far as I know, we don't have these yet. Let me know if you know of any.

We have an industry that continues to throw money at technology with a high penetration rate. What we don't have are numbers that tell us whether that rate is acceptable or not. What we are is, "still not getting it."

Blogger: Dan Blum

Bob Blakley and I recently sequestered ourselves for an entire day to work on revisions of two Burton Group security framework documents which had aged into the archive:

• A Systematic, Comprehensive Approach to Information Security
• Risk Management Concepts and Frameworks

The systematic, comprehensive security framework comprises business risk management, security objectives, security posture, business processes, security technology, lifecycles and contexts. We use it to remind ourselves that security projects must always be holistic endeavors; it is the framework that guides us.

Afterwards, I visited a number of large organizations and talked with them about various subjects Burton Group covers, including security programs. It struck me, as it always does, that defining security architecture or strategy is always a lot easier than actually making it happen!

One of the people we visited was a security manager at a large financial institution. He says that his CISO organization has created a new security strategy and identity management architecture to cover various business units and outsource partners throughout their global environment. “This is a new initiative for us,” he said, “The first strategy is being approved, and others will be brought in to cover additional domains.”

The security manager went on to say that the challenge was not only to create architecture but to communicate and enforce it. He calls this “the politics of architecture” and notes it is particularly difficult in a global, outsourced environment where multiple technical architectures must be received and reviewed from sub-contractors. Internally to the organization, it will be critical to manage expectations, set up success metrics, and show some real progress by the end of the year. The security manager struck me as a very intelligent, buoyant and optimistic person – someone who thrives on chaos.

Continuing to make the rounds of companies that are interested in Burton Group, I later visited the Head of Information Security at another large global organization. He radiates an air of crisp competence and organization. He is living the life of the CISO as we describe in our report Security Governance for the Enterprise. The subsidiaries and business units share a corporate culture of independence and autonomy, but they track to a baseline set of controls chosen from ISO 270001, as does the IT services organization. Reports are rolled up into a dashboard for management consumption. Clearly, the company understands about accountability and metrics, things that we’ve emphasized in other documents. One weakness, he admitted, was that the reports are self-assessments and only lightly spot checked by internal audit.

Whether we are talking about the politics of architecture on the grand scale of the information security program for a Global 2000 company or on the smaller scale of an identity management project, the challenge is clear: how to traverse from theory to practice? Burton Group has a lot of good ideas already published, but we’ll be mindful of this issue as we plan more coverage and work to prepare for our Catalyst conference Successful Security: Getting Proactive track. Hope to see you there!

Blogger: Eric Maiwald

We hear it all the time – “use this technology to secure your information” or “the system was tested and found to be secure.” We also hear it with regard to products – “secure email” or “secure remote access.” But secure from what? Secure under what conditions?

The use of the word “secure” came up again this past week as I read articles regarding the TJX fiasco. The latest information is that the data was encrypted but somehow the intruders gained access to either the encryption keys or to the data when it was not in an encrypted state (see the Boston Globe article for some of the information). So clearly, here is a case where encryption was insufficient to “secure” the data.

But what does it mean to “secure” something? According to Webster’s dictionary:

• Secure (verb): to relieve from exposure to danger: act to make safe against adverse contingencies

The American Heritage Dictionary is a little different but generally along the same lines:

• Secure (verb): to guard from danger or risk of loss

I like the Webster’s definition – “act to make safe against adverse contingencies.” I want all of my stuff to be secure! Of course if there are no adverse contingencies or consequences, there really isn’t too much risk. Wow! A life without risk! That would be wonderful. But I digress, so back to my point…

So, we hear this word from vendors, from technologies, from regulators, etc. But we still don’t know the threat we are being protected from. Maybe the word “secure” is intended to mean whatever we want it to mean. Secure is whatever it means to me, which might be different than what it means to you. Is that a postmodernist mind set? That is a question for another day…back to the topic at hand…

I think that when we use the term, we have some threat, vulnerability, or consequence in mind. For sensitive data, we probably mean that we are protected against disclosure to unauthorized individuals. In other words, the confidentiality requirements are being met. But confidentiality is only one aspect of risk. There can also be threats against the integrity or availability. The intended use of the information could be violated or we could lose the ability to identify who had access to the information (and thereby reconstruct past events).

Mechanisms (in the case of TJX – encryption) often help to manage one type of risk. Encryption can help to manage the risk of unauthorized disclosure. Sometimes, it can also help to identify (and therefore help to control the risk of) unauthorized changes which helps to meet integrity requirements. Of course, encryption mechanisms require a supporting cast of other technology – proper authentication and key management just to name two. Depending on how encryption is used, it can protect us from one risk (unauthorized disclosure from the loss or theft of a laptop for example) but not from another risk (insider release of information). Even worse, incorrectly used, encryption can actually increase some risks (such as the loss of availability of information if the keys are not managed properly). I’ll be talking more about the use of encryption in my Catalyst talk “…But the Information was Encrypted!” on June 28 in San Francisco.

Maybe what we need to do is to properly qualify the use of the word “secure.” We have email that is secure from unauthorized access while in transit. We have remote access that is secure from eavesdropping. We have used encryption to secure our data from unauthorized access if the laptop is lost or stolen. Or perhaps we should not promise actions “to make safe from against adverse contingencies” and talk instead about risk management and the tradeoffs that we must make to manage risk to acceptable levels.