As I have mentioned before, security is nothing new. The basic tenets of information security are well defined and only articulate, in digital terms, what many of us do in a variety of transparent and automatic ways. By breaking down security into its constituent components, I believe it’s easier to design these components into our modern day electronics so that they are not only easier and more convenient, but more secure because of it.
Protecting the confidentiality, integrity and availability of information are the main objectives of information security; however, when implementing a product, service or system to the marketplace, it is important to also think of continuing to maintain a secure system once it has been deployed. Protecting a system from the affects of Murphy’s Law – which occurs more often than one expects – is also an important consideration.
The following are the security objectives to keep in mind when designing a system. Some examples below play multiple roles. For example, wax seals and Chinese/Japanese chops (inkan/hanko) can be used for both integrity and authenticity.
Static, passive, pervasive security – done once:
- Confidentiality/Privacy – Your data/service provides no useful information to unauthorized people and ensures the protection of sensitive and private data.
- Historically – Egyptian hieroglyphics, Enigma, etc., envelope
- Biologically –
- Modern – Encryption
- Integrity – Ensures that the data has not been (maliciously or accidentally) altered, manipulated or deleted. Furthermore, if anyone tampers with your asset it will be immediately evident.
- Historically – Wax seals, inkan, medicine caps
- Biologically – DNA sequences
- Modern – Digital hash
- Authenticity – We can verify that an asset is attributable to its owner, author or caretaker.
- Historically – Drivers license, passport, stamps, watermarks
- Biologically – Smell, sight, hearing, virus lock-and-key
- Modern – passwords, smart cards, biometrics, GPS, public key
- Identity – We can verify who is the specific individual entity associated with your asset.
- Historically – biologically, birds imprint who their mothers are; historically – many, notary
- Modern – meta tags, XML
- Non-repudiation – Ensures that information cannot be “disowned.” The author or owner or caretaker of the asset cannot deny that they are associated with it.
- Historically – signing a document, getting a return receipt, etc., time clock, odometer
- Modern – typing an acknowledgment, taking a biometric, digital signature
Dynamic, active, transient security – the system needs to be checking these items constantly:
- Authorization – It is clear what actions are permitted with respect to your asset
- Historically – dual missile silo keys
- Modern – ACL’s,
- Loss – Asset is irrecoverably lost (or the cost of recovery is too high)
- Historically – cancelling a check, filing an insurance claim
- Modern – Remote disable/erase
- Availability/Denial of access or service – Ensures that authorized users have access to information when required.
- Historically – embargos, laying siege to a city, cancer
Your comments are always welcome.