Security Lost and Recovered (and 4)

A transition to “complete” Security (in the sense described in the previous sections) requires a rediscovery of the context, this complex mesh of relationships through which we live and operate. This change must leverage a recognition of the personal, psychological, organisational and technical aspects. In following this path we need to base the IT disciplines (and Security) within a larger conceptual setup than the one which dominates our thinking today. In particular, we need to forge a theory of information which leaves behind unidirectional and mechanistic flows, and adopt a theory of “bidirectional” and “multidirectional” interactions, including multi-party processes of Risk and Trust management.

As all Security arrangements have to provide a measure of control, we should now look into information interactions as control processes. This view aligns both with ITIL and COBIT methodologies which require control processes at the basis of Security management. According to the direction I propose here, we need to work out a theory of communication as control, i.e. of mutual and multidirectional control conceived as an information exchange.

We will see how this approach necessarily leads to new thinking in terms of Trust and Risk management, information technology user self-management and multi-party computation.

I also believe that the needed transformation will help renew the Security disciplines, especially considering the trends studied by Clayton M. Christensen, Dina Wang and Derek van Bever in their article “Die Zukunft der Berater,” published by the Harvard Business Manager magazine in November 2013.

The authors show how the “democratisation of knowledge” across consulting specialties drives the need to reposition advisory and consultancy services. They analyse trends towards the “productisation of knowledge,”  and further division of labour among the competing companies with the aim of securing or developing market niches.

It seems clear to me that these changes will will have uneven results among the various areas of management and IT services. For example, we should not expect that the excessive focus on technology will disappear. In some areas it will actually increase. Consultancy firms which previously had a foothold in the Security Profession may opt for more “technology centric” offerings, while others may enhance their business and organisational competencies. This will in turn generate a more complex “division of labour,” a greater segmentation in the consultancy services market.

I think we need to add to these tendencies a growing de-professionalization of the Security disciplines. As the specialties fragment and become embedded into particular technical practices, the conceptual unity of Enterprise Security is broken. Previous more or less rounded standards as those mentioned above (ITIL or COBIT) lose “relevance” for the techno-centric practitioner, and we see instead an effort to interpret Security requirements only in terms of technical requirements. A symptom of this is is the appearance of “contract” driven security, i.e. services which are entirely external to the business or organisation and aim at complementing or outsourcing IT processes.

But these tendencies don’t need to be destructive only. They also open the way for new levels of understanding. Even if there is a trend towards de-professionalization, and despite the background of market fragmentation, there is still a need for an integrated, complete vision of Enterprise Security. To ensure that this is the case, a good theory of information is needed.

For the sake of Security, a good theory of information should also be a good theory of secret information exchange, with a consistent grasp of the role of  secrecy, while avoiding technological over-reach. In other words: Information theory is much wider than Information Security theory and therefore even the most complete techno-centric approach will be unable to express the whole of Enterprise Security. This should be self-evident, but frequently in the Security professions we tend to invert the terms and assume that the root of security is secrecy and we give secret information exchange a primary role in any information exchange. We also operate under the pretension that Information Security can be somehow independent of fundamental Information Theory.

We miss the fact that secret exchange can be only a limit case of a wide range of scenarios of informational interaction, more precisely: secret exchanges are those particular, limited cases where the exchange is intended for a pre-selected recipient only with the exclusion of all (or most) of the others. Between the limit case and the generic scenario of information exchange there is a very long series of possible combinations where secrecy and encryption have a decreasing role the further we move away from the limit case. When considering the entire chain of informational interaction then, Security appears as a much wider domain of human and organisational interaction. In turn, the Security domain itself clearly appears as smaller than the full scope of Informational interaction.

This characterisation is appropriate because of the current fascination of the Security professions with secrecy and enforcement of secrecy. In order to have a better view of the role of Security technologies and encryption within the wider, richer nature of informational interaction, information itself must be conceived as a multi-directional phenomenon. Information has to be understood on the basis of interaction, and not as it is usually the case in our profession, as an “object” (i.e. as data only).

It is only when we recognise that information is not a unilateral and unidirectional flow of “data” from one actor to another, but a mesh of correlated activities between the participants, that we can get closer to the goal of forging a new base for Enterprise Security.

A complete theory of information must include four fundamental aspects: Context, Subject, Relationship and Data. (See:http://carlos-trigoso.com/fundamental-conceptions-of-information/ ) Currently the dominant view is that of Information as Data, and –on that basis– Security becomes only Data Security. Simultaneously, secrecy (i.e. the limit case of information) becomes data encryption. A key consequence of this is that the Security profession is weakened, while all the ideas and activities related to Trust definition and establishment are ignored.

This distortion even ignores the fact that we need encryption and coding not only to keep secrets, but to  enable the transmission of secrets. Encryption is interpreted as “occultation” when its role as “coding” is forgotten.

Standard information theory (as defined by C. Shannon in “A Mathematical Theory of Communication,” 1948) is sufficient to describe the conditions under which signals are written onto the medium (the channel) and transmitted to a receiver,  but it  does not explain (and does not aim at explaining) how the receiver picks up those signal from the medium (how it reads those traces marks). Standard theory is happy with an unilateral transfer or “flow” of information, whereas a complete theory would instead require that the receiver is able to read data from the medium only because it is also an information source or “emitter.” Beyond the rules thoroughly established by Shannon, a high degree of effectiveness will depend on the ability of the “receiver” to emulate the “emitter.” (See also: Hans Marko, “The Bidirectional Communication Theory–A Generalization of Information Theory” – 1973)

There cannot be information transmission –of any sort– with a completely passive receiver. As the standard theory demonstrates, to ensure a desired level of certainty in the transmission, information must be coded and decoded, and the coding must explicitly embed an adequate level of redundancy which is then used by the receiver to “understand” what is being transmitted and correct noise-induced errors. It should be evident that the coding (the formal and structural characteristics of the message) have to be available to the receiving participant. The emitter and receiver need to be “similar” not only in terms of the statistical scope of the message, but also regarding the syntax and the semantics of the communication.

Interference, noise, eavesdropping and other possible actions around the information channel can all be defined on the basis of the standard theory, but then we will always have a missing piece if it is not agreed that both ends of the communication scenario are both active and “informationally equivalent” (Note: I leave the term between quotation marks because this is only a semantic characterisation in need of further work.)

On this basis, we can start thinking of confidentiality, integrity, availability, authenticity and other characteristics of a secure system as qualities of the informational exchange, and not as separate “solutions” or “mechanisms” that are external or imposed on the interaction. Better said, we can begin to see Security as a continuum instead of a collection of techniques.

This amounts to seeing Security not only as an “enabler” of business (as many IT managers would say) but more decisively as a business function itself. There is a need to adopt and reposition Security as part of the business decision process. For example, assimilating Security to the well-known disciplines of business communications: To ensure Enterprise communications we have to encompass all aspects of contact establishment, acknowledgement of reception, integrity of data and measurement of fidelity or control (audit of results). There is a complete parallel here with Enterprise Security, insomuch as we similarly require those steps to define, establish, enforce and monitor Trust.

In Information Security we deal with “access rights” and scenarios where subjects (persons) have access to objects, while in turn objects have access to subjects. All interaction –in one direction or the other–is mediated and indirect. The more technologically enabled a process is, the more mediations intervene; but, precisely because of this increase in complexity and mediation, despite of appearances, the more important the organisational factors become. This insight needs to be fully applied to our work to remedy the current theoretical lack.

The fundamental problem caused by the lack of an information theory is that Security planning and decisions become fixed on technological matters. Instead of addressing the complete landscape of the organisation and its environment, Security professionals and managers become entangled and paralysed by the techno-centric scaffolding of their activity and end up being unable to analyse and judge their own activities. More directly put: Security professionals and experts effectively become unable to make any decisions and are constrained to follow pre-established technology roadmaps originating with the market trends instead of the requirements of the organisations they are working for.

Instead of managing technology, IT managers are themselves “managed” and constrained by technology, as it becomes the “box” managers live in. Suffering from the same loss, instead of leading Security technology, Security experts become simple followers of technical novelties and marketing campaigns, under an illusion of “continuous progress.” Evidence that any technical “progress” is actually the result of organisational change must be considered, and this error should not be difficult to correct by looking at the commonly accepted requirements of business leadership (something we can learn from organisational and business management studies). Regarding this,  there are four basic “positions” that the management or leadership may take:

– adapting to change

– anticipating change

– defining change

– driving change

I want to underscore that I am not speaking here about technological change in this context. In my view, technology always follows social and organisational change so –in all four possible stances–, “change” means business change, i.e. change in the business model and its corresponding operational pattern. Therefore, “adapting to change” really means adapting to changes in society, in the market, following the trends and reacting to whatever seems to be relevant.

The second position — “anticipating change”—is different to the first (“adaptation”) in that it requires more effort and insight, by which the organisation studies social evolution and previous experience to make itself able to “predict” the trends and develop new capabilities and services.

The third and fourth positions (“defining” and “driving” change) are very closely related, one being at the core of the other: In order to drive change it is necessary to define its nature. For example, an organisation focused on “defining” change will not only study history and trends but also propose new ones, create new forms of interaction and commit to new approaches. A basic consequence of this is that only organisations which “define” change (their own change and that of their environment) will be able to “drive” change. This leads to the following definition of “driving change”: An organisation which defines change and gears its practices and actions accordingly is an organisation which drives change.

Let’s visualise how these four positions would play out in the present situation of the Security disciplines. As Christensen, Wang and van Bever describe, consultancy services in general are facing a context marked by commoditisation, modularisation, globalisation and demand for transparency and “packaging” of services.

In the Security profession we share the globalisation tendency with all other sectors of economic activity, with the expected changes in terms of the global, homogeneous market, and a global division of labour. As for the trend towards modularisation we see these under a peculiar appearance: our services become highly fragmented, so that organisations tend to buy “service packages” which do not include anymore all the aspects of business consultancy and management guidance. This runs parallel the commoditisation of our services and the “de-professionalization” of the consultants, when our work becomes more and more techno-centric. We become detached not only from the management consulting area but also from other segments of our own profession.

When consultancy firms experience stagnation of share prices and have to live more and more on the rents generated by their positions there is a pressure to “simplify” services and “package” them into small sets which correspond to the trends. This direction though, which may be positive for manufacturing and technical areas, becomes problematic in those services requiring a comprehensive vision of the Enterprise and its business model.

These tendencies are now part of our context, but their impact, as I said above is also positive, in that we should now not only “adapt” to the circumstances, but also “define” and “drive” change. In particular, to stay ahead of the efficiency curve we need to accept the increased division of labour and fragmentation of the market and build or re-build the Security professional offerings according to these challenges. This requires leaving behind the mentality which links us to the IT departments and the marketing campaigns of the technology suppliers. To do this we need to preserve and develop the breadth of our offerings and link them completely to business decision processes.

In this sense, Information Security, as it existed in the last few decades, is now finished. The “end” of Security has already happened.

Yes, we can still fantasize with the old technology-focused Information Security and dedicate ourselves to “cyber-war” and “analytics” but this is not the matter. These trends actually only demand even more powerful business decision making than before, essentially to master and control technology instead of becoming slaves to it.

In the new context, a complete Security offering must start from a clear vision of the competing and negotiating forces within the organisation, and between the organisation and its environment (society). To encompass this, we need to adopt a concept of “multi-party security,” based on un-equal and separate “participants” and a theory of Security negotiation and establishment among living, complex but interdependent entities. Multi-party trust is the key subject to transform our profession, going beyond simplistic models which operate only with a mono-ocular and techno-centric perspective.

A key component for these concepts is the work of Andrew Yao, in particular his paper “Protocols for Secure Computations,” published in 1982. According to this author, the goal of secure multi-party computation is to create methods that enable parties to jointly compute a function over their inputs while at the same time keeping these private. The participants do not reveal their secrets to one another.  We can safely interpret here the notion of “computing a function” as any computer mediated operation (in the sense described in previous paragraphs: subjects and objects in interaction).

This communication occurs in the context of attack by external entities or by a group of malicious participants. As Yao showed, a multi-party protocol is secure if no participant can learn more from the description of the public function and the result of the global calculation than what can be learned from its own operations. So here we have a more powerful model to address the increased complexity of the Security position of the enterprise. A concept which also supports the idea of layered communication security, comprising several levels of assurance. This, together with the insights of multi-directional information and the modalities of Risk and Trust management are the core of the Security theory which we need to open new possibilities and renew the Security profession.

(This is an unfinished proposal. More an ambition than a reality, but I hope that I have left some motivation for the reader to pursue independently or in collaboration.)