By Roy D. Follendore III
Copyright (c) 1999 RDFollendoreIII
All Rights Reserved
Organizations, even the most secure organizations, are not isolated communities of information. People, not machines are the essential elements of any communication process. All organizations use and move information assets and resources to other organizations. Sometimes this is for reasonable and legitimate purposes. Other times the use and movement of information is unreasonable and illegitimate. The objective of security is to insure that all transactions are reasonable and legitimate, not to isolate information for isolation sake.
Security should not be a barrier to organizational operations, it should be the warranted director of organizational information flow . INFOSEC must become a way of just saying "yes" securely. Nowhere will this concept be as squarely tested than in multimedia security. Multimedia initiates a demand for improvement of the flexibility of security. Without a means of embedded flexible security (Virtual INFOSEC), the entirety of each multimedia production must be classified system high. The massive amount of classified information that a single multimedia production can involve could preclude any multilevel or partial declassification process using manual declassification methods. If we are to accept the status quo of manual classification methodologies and the absence of automated classification systems, then the only solution for widespread multimedia multiclassification would be rigid production policies for multimedia production.
Such multimedia production security standards could probably be developed but not easily enforced. Such standards would account for only the static and predetermined productions. Accountability for security errors would come into question as such productions were used across organizational boundaries. The accountable organizations would, in effect, be acting as censors of massive amounts of communicated qualities that would be difficult to define. The censorship of production elements would often ripple to absurdity and degrade production quality. Because of the enormous amount of data, multimedia will be stored on CD ROM which would have to be reproduced. While the cost of the media itself might be limited, facilities for both duplication and reproduction of the content of multimedia message would often be necessary. In addition, the overhead of maintaining the classification and declassification of massive amounts of multimedia information should soon be prohibitive.
It is obvious to all that the solution to finding a viable multimedia security solution is to reduce the complexity of the security process that is presented both to the user and the organization. Solutions of the protection of multimedia lay in the premise that complexity can't be reduced or eliminated but can be transformed into a logical system that computers can be managed. The process of classification of media elements, such as data, information and knowledge, must be researched and a system created that is consistent with the transformation of classification attributes to available computer logic, rather than human reason. There must be discovered underlying principals that ground a natural, rational and logical organizational classification model into automatable rules. How might one initially approach automated classification of knowledge.
If the observation that information may be represented as the expressed associated matrix of data can be assumed, then knowledge may be represented as the expressed associated matrix of information. The basic research problem might be to find the information and knowledge n space where security concerns would exist, for categorizing recognized security concerns. This might involve pattern recognition methods similar to those of sophisticated imagery recognition systems. It might be expected that the pattern recognition problems for secure information and knowledge in n space would be easier to operate simply because the parameters associated with the environment are open and available with minimal noise. In principal, such security pattern recognition solutions might be practical where 1. there are a known finite set of structured solutions to search for, 2. the problem environment can be manipulated and enhanced, 3. there is little arbitrary or induced noise in the observation.
Classification of information would be predicated upon the assumption of the correct security classifications of data. A logical approach to automating the information classification process is to predicate information classification on data classification patterns. Analysis of such data patterns would be oriented toward the observation of security proximity among other qualities. In the case of text, external knowledge would be brought to bare on creation of an n dimensional complex matrix. Only key words might be extracted for further transactions. The actual selection might be accomplished using some variation for measuring the Hamming distance of the key words. These elements would then be tagged and plotted. The groupings that would result would be then interpreted by pattern recognition technologies that would evaluate the body of the interactive data elements.
The classification process of a knowledge base may be predicated on the correct classification of the information. The automation of a knowledge base might be handled in a similar fashion as information but with a few twists. There would not necessarily have the existence of some assumable correlation between the data element classification and the information element classification process. Symbolic meaning of the phrases interpreted using natural language processing methods could be involved. The projection and pattern recognition of the information elements would be suggested by analogy driven rule bases. The resulting weights would determine where symbolic meanings were to be projected. The pattern recognition would begin when a significant proportion of the vectors are expressed in the security n state space.
If information security may be expressed as an associated matrix of data security then knowledge security is the expressed associated matrix of information security. Since data classification is driven by the environmental scenario of constraints, knowledge base classification is a scenario driven classification problem. Secure computers must therefore classify information with respect to appropriate scenario constraints. Classification of data given to users might be scenario generated and keyed to predetermined and actively monitored scripts.
What does all of this mean for the future of INFOSEC?
First, people communicate most effectively with multiple senses, audio, visual and tactile information. The secure workstation in twenty years will have intimate interaction with operators including biometrics interaction sensors to the user and the surrounding environment. Humans will communicate to each other through not just the transmission and storage of information, but the interpretation of the computer system. As you might expect, this will cause many new and hereto unconsidered security problems to arise.
The secure workstation will have intimate knowledge of its organizational place and purpose, the users organizational place and purpose and a critical knowledge of the organizational purposes of those entities with which it communicates. In this way, all secure computers will be symbiotic to each other and to users. Today, computers are instruments with which communication takes place. In twenty years, computers will communicate securely with itself.
Copyright (c) 2001-2007 RDFollendoreIII All Rights Reserved