Public Privacy and the Glass HousePosted 2012-08-31 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
We must live with the fact that we cannot protect the Internet environment when we live in a glass house—a characterization of how insecurity pervades our world.
By Marty Nemzow
There always has been tension between functionality and security, and likely always will be. Functionality usually wins out because we can calculate the ROI value for functionality, but calculating ROI for security is problematic.
Efforts to forecast the consequences of a future breach, leak or insider theft rapidly break down. They sound like hollow warnings by Henny Penny that the sky is falling. It's uncomfortable—and often professionally suicidal—to make projections for costs and likely consequences for cyber-threats.
Instead, we are hearing that security is no longer fundamental to a sustainable competitive advantage. In other words, if we cannot actually implement security, then at least we can show how we can do better in the marketplace by ignoring it completely. In my opinion, however, security becomes more critical to retaining that competitive advantage as production and sales transform from being housed in physical channels to residing in the intangible world of the Internet.
More of organizational value is embodied in data and less in the tangible value of a product. We can see this when Bluetooth and MP3 devices are integrated into new cars and augmented with completion messaging and billing to smartphones.
Therefore, the care and protection of that data becomes more important because it is more to the customer base. However, such protection is also more difficult because viable protection methodologies are not available or are incomplete. Even commercial products based on heuristic methods lack a scientific or mathematical basis.
That describes the security environment today. The effectiveness of public key encryption and encryption in general, although based on elegant mathematics rooted in randomness, is being eroded by one newsworthy breach after another. Security is just not working.
The recent book by Jeff Jarvis, Public Parts (Simon & Schuster, 2011), argues that people should embrace “publicness” rather than fear the Internet and its potential erosion of security. It is an interesting notion that rather than fight against the losing proposition of security, we should embrace the lack of it in the openness of personally identifiable information (PII).
Jarvis suggests— given our current privacy mania—that we are not talking enough about the value of publicness to create online social networks and personal connectedness. He makes a persuasive argument that the fear and resistance that met the advent of other innovations such as the camera and the printing press is being recreated with the explosion of the Internet, cloud computing and mobile computing with tablets and smartphones. The Internet, he argues, will change business, society and life as profoundly as Gutenberg’s invention did, shifting power from old institutions to all of us.
The fact is that the Internet has already changed business, society and life in those profound ways. As a privacy and security expert, I find Jarvis’s argument perversely compelling. We, as individuals and as a society, are benefiting from the new openness and wholesale information sharing.
However, when his argument is rephrased in terms of the tension between security and functionality, which it clearly is, his argument overlooks the losses from the forces of human nature that undermine all that is good. These forces can be, aggressively hostile and rooted in the zero-sum games of international competition. Competition is not zero-sum; one presumes that notion at the risk of market erosion and rapid competitive defeat.
We cannot give up on security simply because we cannot win or cannot find new models of security. New types of security will ultimately have to work. We are in a phase of development that lacks effective models for security—or even anything with a scientific or mathematical basis for functionality.
Currently, we create increasingly complex and burdensome black-and-white filters that run the gamut from antivirus to firewall sandwiches all based on a heuristic model of staying ahead of the bad guys. Clearly, that operative security is not working. But that doesn’t mean we should give up or accept Jarvis’ proposal.
We must live with the fact that we cannot protect the Internet environment when we live in a glass house—a characterization of how insecurity pervades our world made by Joel Brenner in his recent book America the Vulnerable (Penguin Press HC, 2011). His thesis differs from Jarvis’.
Reality must be somewhere between these two extremes. The Internet is enhancing the GDP in remarkable ways through the openness of social networking with its integrated application to marketing and sales. On the other hand, we are seeing massive erosions of fundamental intellectual property value as trade secrets, personal information and other proprietary data are leaked to foreign hackers, criminal syndicates and the machinations of hostile nation states.
It is easy to fall prey to these extremes of well-positioned ideas about “publicness” rather than privacy and security. However, it is clear that the tension remains in play between functionality and security.
Security cannot be traded for functionality without the long-term erosion of that strategic competitive advantage. As such, security becomes even more essential to the architectural design as we transition to this new intangible world of value creation and anytime, everywhere communications.
Even if our best security is not working, we do not have to give up completely. In fact, almost everywhere, the consequences of leaks, breaches and insider thefts are changing the legislative, judicial and public relations consequences adversely for data aggregators. Security is even more essential to research, augment and implement in the brave new world of the intangible value.
Martin Nemzow troubleshoots broken businesses, and was a data security executive consulting with military commands, intelligence agencies, and prime contractors and integrators. He can be reached at firstname.lastname@example.org.