Answer me these questions three, ‘ere true security you see.

What is your quest?

Much like the eternal quest for the Holy Grail, our quest is for perfect security. Part of that problem is simply deciding what perfect security is. The answer is that perfect security is perfect for different reasons for different organizations. I once had a very well-known security person tell me that the only perfect security was a powered off computer, locked in a safe, sealed in a block of cement in a vault. But they forgot about the holy trinity of information security – Confidentiality, Integrity, and Availability (CIA). The basic premise of “Availability” means that the information is available when you need it, and goes to support the entire premise of any and all information security programs – security is an enabler which lets us do what we need to do, to meet our business goals in a secure manner.

The first thought is to define the best security controls you could define for any given security objective. Take identity authentication, for instance. What set of security controls would absolutely let you identify yourself to the authentication in a manner such that it was obvious it was undeniably you who logged in? In the 1997 movie “Gattaca”, personal authentication was determined by sampling of blood and matching DNA. In the 2002 movie “Minority Report” (and others), positive authentication was performed via retinal scan. You have to admit that would be a pretty solid authentication mechanism (though they did seem to find a way around it in the movies). How about a more practical solution?

Multi-factor, tokens, biometrics, passwords, and PINs may all be reasonable authentication mechanisms depending on the circumstances. No one will successfully argue the fact that a four-digit PIN is stronger than a retinal scan or multi-factor authentication. The point is that in each situation, the method needs to support unique authentication and non-repudiation. Controls which may be appropriate for access to user account information at GlobalBanc, may not really be appropriate for Joe’s Hat, Boot and Shoe factory. Does Joe’s really need to be able to afford a fully integrated token-based authentication in lieu of built-in eight-character passwords?

I once worked with a company which decided they were going to follow guidelines and controls defined in PCI DSS, since they thought it was a good, well-respected security standard. The catch was that they didn’t process any credit cards. Their goal was to say that they processed all client-based information with the same level of protection as credit card data. In the end, this was more control, and more security than they truly needed in their environment. The stated goal was too high. By the time they were finished, some of their environment was pretty strong but, in other areas, the security goal was not as easily attained. After a couple years, and a few million dollars, they gave up on the DSS and actually planned towards what they truly needed.

In each case, what is an effective control depends on the use and the user. There is stronger security, and there is better security, and they may very well not be the same thing.

And that in itself is the issue. The security planning and management process should fall back to what really should be basic project management:

  1. define the problem, 
  2. define requirements, 
  3. define specifications, and
  4. implement to the specifications.

The most significant piece here is defining the problem instead of the solution. Look at your data, what you want to protect, and need to protect, and everything else flows from there. Your data is the key to everything. Understand what you have, its value, and any regulatory requirements placed on the data. Your security program should be defined to meet the needs of your data, not some relatively arbitrary security edict. If you have not done a full analysis of what your cool data is, along with where it is stored and processed, then you are behind the curve here.

What are you going to do, bleed on me?

There does come a point in time where we have to be done with security planning and implementation, or at least recognize the point of diminishing returns. Sure, you will definitely have a stronger security posture if you build a complete, parallel, hot standby environment that is maintained by real-time backups and supported by fully automated fail over. If you need it, and have it, that is awesome. G’d onya. But if you do not “need” it, it could be an expensive luxury. This is why “defining the problem” is so important. If you don’t know where you are going, how will you know when you get there? 

And that planning may very well be the most important step in the process.

Maybe Joe’s Hat, Boot and Shoe factory should not have spent $400,000 on that biometric retinal scanner when the built-in password mechanisms will fully meet their actual needs, regardless of how amazingly cool that biometric system really is.

So, the moral of the story is to follow your data, and not plan “perfect” security, but plan “appropriate” security.

What is your favorite color?

At last. An easy question. Blue. No… Red.