By Roy D. Follendore III
Copyright (c) 2001 RDFollendoreIII
All Rights Reserved
Let's talk today about the nature of security, but first we need to start with a tiny bit of perspective.
Before there was light, according to scientific theory, billions of years ago everything in our universe was formed from an infinitely small point in space. The Big Bang represented a relationship between the creation of matter-energy with respect to the tradeoff of order and entropy. The concept of entropy is not just the presence of observable disorder, in its essence it represented best represented by unpredictability and it is the existence of ever present and undeterminable dynamic change with respect to space and time.
There is no getting around the presence of entropy and we should not want to even if we could. Life could not exist without entropy because time itself would instantly cease to exist. It is within the unexpected turbulent interactions of our universe that humanity thrives and while some degree of predictability is necessary for survival, the same can be said for entropy. To detect and measure the existence of anything requires some expectation of contrast. For light to exist there must be darkness and for security to exist there must be insecurity. Even the concept of absolute perfection is imperfect without entropy.
Unless you are one of the few people who live in space, you and I are blindly revolving around the center of our Earth's axis at a tremendous speed. The speed of this rotation is only surpassed by the speed at which we are traveling around our Sun and in turn by the speed at which it is traveling around our Galaxy. Our Galaxy is rushing out from the center of the Universe at an ever increasing speed. Taken from this perspective, a physical direction seems to have very little meaning.
On the other hand, we don't really notice all of these gyrations as all of humanity floats on what is essentially the slightly cooled crust of a great big ball of molten lava. We all seem to exist amazingly well with very little life giving oxygen sandwiched as a very thin layer atmosphere between that crust and the cold vacuum of space. If that were not enough, this ball we live on is moving through what has been referred to as a "shooting gallery", where everything from hailstones of rocks and dust to asteroids, comets, rogue planets and suns, and black holes large and small could hit us without notice.
As far as the macrocosm of humanity as a whole is concerned, we have our fair share of a security problems. The question of humanity remaining in existence is an open question. After all, we have only been in existence for a very short while. In terms of geologic time is concerned, as long as we remain a single clump of life on a whirling blindly on a hot rock, humanity is doomed.
With respect to the microcosm, we have a far more definitive specification of security in the fact that individuals of humanity are mortal. This means that each of us will die within a definable range of time, so as far as that is concerned each of us definitely must deal with our own individual and independent security problem.
OK. We now have some perspective to the nature of security. The only conclusion that can be reached is that we are all by our very existence within nature insecure. We do not have to constantly dwell on it, but we certainly do not have to accept our innate insecurity, for it to be a fact. That is not the point.
The point is that all of humanity, not just organizations and individuals, exist within a single open system and there is nothing within Science that indicates that anything else is possible. If we are to discuss security as a Science and not a religion then we must keep that fact in mind at all times.
This concept also implies something else. If the concept of security is to exist at all, then security is infinitely finite. It is much like measuring the distance along the shoreline between New York and Miami. Just because you can travel between Miami and New York along the shore does not mean that you can absolutely measure the shoreline. The path is not the same as the shore. Not only does the shore constantly change, at any specific moment, the more accurately you define the shoreline, the longer the shoreline becomes. The concept of a shoreline is both infinite and finite so that its true value always remains unattainable. It is infinitely finite because the metric is dynamic. Just as with a shoreline, the path that exists through the absolute objective of security is unattainable. Security is contradictory domain because security is a matter of perspective. The moment that a specification of a "coastline" is defined for security, some tangible aspect of either precision or accuracy must be ignored. Within the physical implementation of a security system the objective can therefore only be defined as one of many contextual perspectives. Within the domain of security there can be no absolutes, only probabilities. Within security there is always the probability of accuracy, precision, scope and scale to contend.
This means that algorithms and key management systems can not be perfect as far as security is concerned and also useful as far as productivity is concerned. In other words, the concept of perfect security is perfectly useless. There are no perfect definitions because what we are defining as secure is actually a dimensional moving perspective. This is where risk becomes an issue.
That which is not perfectly secure is risky, therefore risk always exists. Risk, is often considered the inverse of security, but that too is also a matter of perspective and is therefore also an infinitely finite association. The nonlinear relationship of Security and Risk expresses the dynamic potential dimension of rate. Risk therefore might range between that which is acceptable, to that which is unacceptable and all possibilities in between. Because of rate, any degree of risk eventually can become unacceptable. It follows that acceptable risk always must exist within a some time frame and that rate. The perspective of security looks for predictable rates of risk that seem to imply acceptability. (Example: A family may have been able to sleep safely in a cabin on the slope of Mount Saint Helens since 1857, but that would not have made much of a difference on May 18, 1980.) Risk comes down to a perspective that involves limits of acceptability.
Acceptability is always introduced with respect to risk, just as risk is always introduced with respect to security. Acceptability always introduces the concept of criticality. Criticality is of course the notion that things can be defined as critical and things that can be defined as not critical. But that which might be critical one season may not be critical the next. Therefore the bridging of security to risk to acceptability to criticality are all matters of perspective.
Perspective means that we live in a universe where there can be no absolutes. There is no perfect security system, no real oasis from risk, no utopia of perfected security paradigms. Perfect security is a phantom because it is simply not a thing to produce, but rather a "reasoned and therefore rational" balance to try to maintain. Security engineers therefore do not engineer physical things to be secure. Security engineers balance the relativity of intangible things we call threats and vulnerabilities. This approach is sometimes assumed to be more easily engineered.
The concepts we call threats and vulnerabilities are also intangibles because they represent potential associations. An absolute threat or a vulnerability are a historical concepts that imply looking back, not looking forward. Predictions are always either based on clairvoyance or history. Engineers and scientists of course attempt to work on the basis of historical facts but sometimes it becomes pretty hard to determine the difference. At an absolute point, an absolute threat or vulnerability become simply a forewarned fact. We can only know in retrospect that absolute assurance that a threat or vulnerability existed, in other words, after the threat has been carried out or the vulnerability has been potentially exploited.
Threats and a vulnerabilities are mated pairs and either can not exist without the other because a given vulnerability can not be exploited without at least one appropriate threat. The association is not necessarily a simple symmetrical arrangement. There can easily be multiple threats associated with any given vulnerability. There can also be multiple vulnerabilities associated with a single threat. A threat and vulnerability assessment is therefore an estimation of probability related to potential associations in context with what may or may not be acceptable as it relates to the existing situation.
Since it is absolutely essential to isolate the potential from the existing situation, a security event does not exist until it happens. This means that in reality a given threat and vulnerability probability simply shoots up to 100% at the point when an event occurs and becomes reality. Often an intermediate probability of 99% may never happen. A probability of 99.9% also may never happen. Risk and vulnerability are nonlinear states. This is because risk vulnerability probabilities are simply assumptions based on historical knowledge. There can be no accuracy without historical state of knowledge and to test for probability there is a absolute requirement to understand the perspective of the situation. The existing reality of a situation must be absolutely understood in order to establish a perfectly accurate set of assumptions on which to base future situational probability.
If any of us are to come to know and accept the acceptable level of security of our reality, then it is necessary to not only sense it, but to test and certify it for what it is. We attempt to verify that a threat and vulnerability has become a reality and we may validate it's existence with respect to our assumption of risk acceptance perspective. A security verification is a formalized test of realistic truth, while a security validation is formal evaluation that proper verification has in fact been exercised. In effect, validation attempts to assure us that what was intended to be measured in the verification, was in fact measured and that it exists. Validation and Verification acts as a means to eliminate the need to continuously verify.
How do we then verify a security validation? We must certify it. Certified results are findings that are essentially immutable because they are backed up and protected from change. You can verify the certification either through a trusted party and/or by the formalized verification and validation process.
All of this is great, except when put into practice.
The underlying problems that formalized certification has is that it requires definitions and assumptions that have to be maintained over time. Security is simply not a perfectly rigid set of standard coordinates, because the Universe of reality is actually a stochastic arrangement of perspectives. What is and isn't acceptable changes? The reality we are able to measure at any moment constantly changes and that means that the meaning of even a perfect certification changes. The moment we isolate a certification, the basis on which it is to be defined immediately begins to degrade. A security certification is like sealing a frog away from his pond within a mason jar. Life is a part of the universal system of risks, and is for this reason that the analogy can be applied to all life.
An isolated frog in a mason jar is no longer a complete definition of the complex nature of a frog. In the same way, a security certification taken from universal context by isolation is no longer a complete definition of security. Certifications are always insufficient models of risks; and an incomplete definition of that which was to have been certified.
This was the reason why we need a universal perspective at the beginning of all complex risk oriented decisions. The risks that we all assume are an integral part of who and what we all are as individuals and as organizations. There can be no benefit without risk. Security is essentially our means of trying to determine what it is that we can expect from our universe and from that trying to influence the inevitable changes are to take place so that we can maximize our investments.
The same probability of risk that shall influence our inevitable demise are also those that influence the improbable opportunity of a photon traveling from a distant sun and registering on or retina. It is for complicated reasons like these that it it is more cost effective to ignore most forms of risk. It is a fundamental truth that if we are to attempt to absolutely engineer the brilliant nature of the universe then we will certainly fail; but it is also a fundamental truth that if we are to attempt to affect acceptable perspectives of our small and changeable part of the universe then we can have some success. It is through our choices with which we ultimately define our security problem. The degree to which we are to succeed at calling into play security solutions will always depend on context and perspective and that perspective is limited by the resolution of light.
Copyright (c) 2001-2007 RDFollendoreIII All Rights Reserved