Security is a Process

Security is not something that comes out of a box and it is not easy to get right.

Security has little to do with locks and keys

Security is a way of anticipating or reacting to problems. It is an approach to ensuring certain goals are met through considering potential dangers or weaknesses in a given context.

One illustrative example is privacy in email communication. People want to send private messages through public networks with millions of interconnected machines. Traffic between these machines travels almost randomly before arriving at its destination and there is the possibility that third parties can intercept messages en-route. The security challenge in this context is to work out how a message can remain private even if it is intercepted.

The easiest way to address this issue is to encrypt any message sent. Imagine unencrypted email communication as being similar to sending a postcard. Anyone can pick a postcard up and read the message it contains on the back. Conversly encrypted email is like sending a padlocked box. Someone might intercept the message but they cannot not read the message without the correct key. The overarching security challenge (unintended recipients might read a message) receives an elegant solution (the message can only be read by the intended recipient).

The challenge comes when we look at the details.

The question is how to encrypt a private message contained in an email. If the sender wants to use really strong encryption (symmetric encryption) then it is necessary to tell the recipient the password. The password acts as the key to the lock, but transmitting a password is a terrific security risk, and it is incredibly hard to share it securely. Another approach is hybrid encryption (asymmetric encryption), where two people share some clever algorithms that allow them to exchange encrypted messages without transmitting passwords, but in the process lose a certain amount of cryptographic robustness.

This security processes, as with all others, is a compromise between perfect security and usable solutions. Choices must be made between requirements (sending a private message securely) with the reality of the situation (the only way to send a completely private message is not to send it at all). The foundation of any good security process is a careful analysis of the security threat and the security requirements. It is a balance of theory and practicality to ensure the main goals of a specific activity are addressed. With these choices and with this balance comes a very important consequence.

Sometimes a security process will fail. This is a mathematical certainty. There is no such thing as perfect security.

A secure workstation is one that is never used. The same applies to a secure communication network. When any service is deployed or any activity begun it sets in motions variables that ensure its security process will fail at some point. There will be a deviation from theoretical perfect security and one link in the chain will open to potential threats.

Fortunately real world security needs are not absolute and theoretical perfect security is not required. For example, most private emails are private only from select individuals or organisations rather than all possible interceptors, and the level of security process required is correspondingly less complex than would otherwise be the case. On other occasions security is time-sensitive and if a security process is maintained for defined time-scale the required goal is accomplished.

The real question is what threats exist in a particular context and how long do they need to be deterred?

An effective security process must be holistic. It begins by asking what precisely needs to be protected, against what potential threats, and how long the security of the process needs to be maintained. In the case of email that means looking beyond the encryption of message contents and also considering things like audience, geographical movements, time-based sensitivity and the capabilities of a projected interceptor. Even the metadata of an email can still reveal a great deal of information.

However, the most important thing about any security process is the people using it. Usability challenges and social engineering are two of the primary ways that security processes are broken. In the former case a security process is so complex that authorised users may circumvent it to make their lives easier. In the latter case a threat may manipulate an authorised user to obtain the information or the access they need. Either way, and regardless of the tools in play, security is breached.

Good security is a known compromise.

Security is ultimately a compromise between theoretical perfect security (not doing anything at all) and usable solutions (doing something that addresses known threats for a required timescale). Realistic security requires knowing your threats, knowing how you address them, and being unsentimental about how resilient each link in the chain is to those threats. The process of security is an endless iteration to learn, adapt and evolve ahead of challenges. Good tools and good people are important but how you bring them together is critical.

This is a revised version of a post originally written for the FSFE Fellowship.