Home Up

 

 

Where Security Begins

By Roy D. Follendore III

Copyright (c) 1999 RDFollendoreIII

All Rights Reserved


Security can be considered as a kind of filter quality control process. It can be used to make sure that the impurities of noise does not get into the knowledge you need. The fundamental problem with security is a hard wired concept tha has lost touch with essential human ideals. Security has become a technological concept, not a human one.  This paper is about getting in touch with basis of security and it speaks about the use of technical key security processes for the management of appropriate information that is to be knowledge.       

Security begins with human being making decisions within the context of their environment.  For instance, first they may make some profitable communication production decision but find there is a security issue involving a concern for risk in executing that decision.  Next they define the security problem by resolving the nature and context of the decision they made in the first place.  Normally they eventually get around to define what is at risk, the threat and they define the vulnerability.  From this they are reach consensus on the acceptable level of risk and exposure to risk. The potential for profit is weighed against the potential risk of damage.  These things together represent the model by which choices are considered.  The choice of feature points within this model are important.  If any of these decisions prove to be incorrect or inappropriate, then the process of developing a security plan will inevitably go wrong. 

The decision as to what to do about the security problem is made based upon the process indicated by the implied risk.  However, sometimes a simple operational change within the organization may dramatically reduce the security problem.  An organizational change may also completely eliminate the problem.  Other times, technical solutions provide the means to continue operations as they are within the existing organization. 

Over time, with a large enough organization and given enough issues to contend with there will be enough mistakes made to be detrimental to any security scheme.  The situation becomes just too complex.  The threat to the organizational Communications System will be magnified by those mistakes and by errors made in correcting them.  Also, consider the fact that most threats may come and go.  The window of opportunity for all abilities to threaten or defend independently change with time.  The dynamics of the communication systems involved, including the embedded technologies influence these changes.  The problem with organizational and security is not only the fact that the threats and vulnerabilities exist but also that the ability to appropriately attract attention to these changes dynamically may not exist. 

But there is only one point where security is both accessible and all times and enforceable at all times.  Information is written in stored in and distributed locations across networks of systems and directories.  Some information moves immediately through the system.  Other reformation is stored locally but  is inaccessible part of the information system only if access is provided by the individual who may literally have that data within his pocket.  

The encryption algorithm that is used protect information can not only act as a means to scramble data but can also act as a filter which can isolate and enforce the isolation of reformation within the organizational Communications system.  The control point for this filter is the cryptographic key that is used.  The problem is that the Key has been treated as an external and irrational process as it relates to the information on which it acts.  There simply is no handle or means to otherwise control or point to the characteristics that would be necessary to manage information as well as managing the key itself. 

Traditional Key Management Systems by their design have the obvious intent of being secure through an irrational scheme of calculation.  This creates a problem that whatever control exists must become an external process.  These pointers that are necessary to manage the keys, to understand the necessary application of the keys, and to gain access to those keys when necessary, have to be tracked independently of the message, and independently of the management of the files being secured.  As we all know the problem with tracking information with an external pointer system is that that system naturally degrades and becomes more difficult to manage as the system becomes more complex. 

The solution is to create a new type of Key paradigm.  This Key must have attributes and be multi dimensional in its ability to associate with the information used as well as be effective in protecting that information through the use of unique algorithms.  By embracing that fact it will become a cornerstone of the reasoning process related to information control, transfer, and retrieval and will become a fundamental change in the paradigm of security for the next century.   

 

 

.

Copyright (c) 2001-2007 RDFollendoreIII All Rights Reserved