Security is a Process

Security is not something that comes out of a box and it is not easy to get right.

Image for post
Image for post
Security has little to do with locks and keys

The challenge comes when we look at the details.

The question is how to encrypt a private message contained in an email. If the sender wants to use really strong encryption (symmetric encryption) then it is necessary to tell the recipient the password. The password acts as the key to the lock, but transmitting a password is a terrific security risk, and it is incredibly hard to share it securely. Another approach is hybrid encryption (asymmetric encryption), where two people share some clever algorithms that allow them to exchange encrypted messages without transmitting passwords, but in the process lose a certain amount of cryptographic robustness.

Sometimes a security process will fail. This is a mathematical certainty. There is no such thing as perfect security.

A secure workstation is one that is never used. The same applies to a secure communication network. When any service is deployed or any activity begun it sets in motions variables that ensure its security process will fail at some point. There will be a deviation from theoretical perfect security and one link in the chain will open to potential threats.

The real question is what threats exist in a particular context and how long do they need to be deterred?

An effective security process must be holistic. It begins by asking what precisely needs to be protected, against what potential threats, and how long the security of the process needs to be maintained. In the case of email that means looking beyond the encryption of message contents and also considering things like audience, geographical movements, time-based sensitivity and the capabilities of a projected interceptor. Even the metadata of an email can still reveal a great deal of information.

Good security is a known compromise.

Security is ultimately a compromise between theoretical perfect security (not doing anything at all) and usable solutions (doing something that addresses known threats for a required timescale). Realistic security requires knowing your threats, knowing how you address them, and being unsentimental about how resilient each link in the chain is to those threats. The process of security is an endless iteration to learn, adapt and evolve ahead of challenges. Good tools and good people are important but how you bring them together is critical.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store