Performance Based Technical Security Model
The Architectural Paradigm And Its Implementation Within Large Organizations
By Roy D. Follendore III
Copyright © 2005 by RDFollendoreIII
May 13, 2005
Almost anyone who is willing to take the time to truly understand the dynamics and consequences of security is capable of understanding that it is a complex and powerful idea. Technical security can act as a positive influence with respect to organizations reaching their internal goals, or it can be a determent. It can be implemented in ways that make data, information and knowledge more valuable or it can make them valueless. Security is not simply about the state of secretly knowing when others do not, it is also about the legitimacy, the confirmation of certainty, the appropriate delegation of accountable responsibilities and authority as well as a myriad of other management and command and control transactions. Technical security is also about the act of reaching organizational consensus, with respect to the application of technical security as well as its implementation. Just as there are operational costs to implementing technical security incorrectly, there are also organizational costs with respect to the way that technical security comes becomes implanted.
Those individuals who are chosen to be architects of technical security solutions within such situations are not mathematicians or logisticians and engineers but agents of change. This is because an honest appraisal of what technical security is actually more about the positive aspects of enabling communication rather than disabling communication. New technical security architectures induce organizational change and changes the way in which human beings operate with respect to each other. It is for these reasons that security system architectures must be flexible, scalable and perhaps most importantly coherent for without these things they become processes perpetrated upon the organization as opposed to acts of consensus which allows organizations to change. If Marshall McLuhan, the expert who wrote monumental works concerning the philosophy of technical communication, were alive today, he would undoubtedly say that security is about content, not the pipe through which the media content flows.
When organizations define their requirements for technical security, they do so with respect to the statutes and policies that govern them. In the larger sense, it is through this mechanism that security is essentially ordained to exist by proxy rather than through internal consensus. Within Federal Agencies for instance, the technical solutions often comes from legislative mandates which are handed down through National Security Agency (NSA) definitions and standards which state the technical requirements for certain types of certified systems. The upshot of this kind of implementation involves a cookie cutter approach to technical security design because such approaches tend to make it easy for organizations to decide when, where, how and why technical security systems are necessary. While this may be beneficial to the decision for the decision to create and manage technical security, there are certain drawbacks which lead to a reluctance to create and apply systems in ways that could be more beneficial. In this sense, security tends to be considered in terms of parochial secrecies instead of as organizational opportunities that can match the charter and capabilities of the organization for which it should serve.
Because traditional security policies have been largely unaccountable with respect to cost benefit ratios of economics over the life of systems, a coherent security metric is necessary in order to maintain pointers to what are necessary within budgetary, planning, and staffing. Because creation and maintenance of secrecy with respect to message content is very costly, the basis of effective and sustainable security becomes a matter of economics. Sustainable security means that the application of secrecy must remain economically justifiable as well as politically viable. This in turn means that secrecy must leverage value which can be functionally defined as verified rather than operating through economic values which are simply specified. Because of this, the ultimate economic purpose of security is that of performance. The purposeful use of cryptography are therefore based on organizational and individual performance measures which should be considered at periodic intervals in the same way that all other fiscal responsibilities are considered.
The benefits of establishing and maintaining responsible departmental accountability with respect to technical security are many.
The security expertise of organizations becomes fully vested within the operational requirements and objectives of the organization. This means that technical security decision making no longer takes place simply as a supportive afterthought.
Performance based accountability of technical security promotes the incentive for a positive organizational atmosphere of risk acceptance as opposed to risk avoidance. Instead of biasing technical security solutions strictly on the notion of cryptographic technologies as a disabler of performance opportunities, the concept of security becomes that of an investment in enabling performance opportunities through cryptographic technologies.
The nature of security is also transformed. Performance based security engages the philosophy of technical security, transforming it from a hermitically sealed bubble with point to point armored pipes carrying unquantifiable capsule payloads, to an accountable system where cryptography is a functional part of multilevel content control. Accountable content based security measure deliver all kinds of opportunities for better command and control of organizational resources, particularly within those field environments that are rapidly and constantly changing.. Within such situations, the Dr, W. Edwards Demming concept of ‘just in time’ manufacturing with respect to the delivery and receipt of command, control authority delegation and knowledge become applicable. Essentially accountable security will boil down to extending opportunities for transforming far more degrees of transformational freedom with fewer resources and greater feedback for command and control. The technological media currently exists that can handle this but the traditional security philosophy does not.
Until security systems which use cryptography are accountable to their performance there can be little incentive within organizations to generate requirements statements that accurately reflect the true needs of their organization. This means that innovation from the perspective of security can be constantly evaluated with respect to the operational playing field.
What exactly are specific architectural standards with respect to cryptography that would allow this entire philosophy to take place? There are example aspects of cryptographic architecture that tend to lend themselves to the perspectives that I have just discussed.
These are merely a few specific measures that can be successfully embedded within the fabric of technical security mechanisms but they are not the soul of the system. I hope that by reading this you depart with a feeling that technical security and it’s underlying mechanisms of cryptography are capable of far more than is currently being expected of them. Technical security is essentially a social process.
In the final analysis, it is important to keep in mind that technology does not care if it functions, people do. To make technology work for us and to provide new opportunities we must be willing to come to terms with the fact that the potential benefits of a technical security solution set become fixed the moment that a specific matrix of engineers and managers come to the bargaining table to reach organizational congruence. We can make information security the limiting factor of our organizational societies or the enabling factor.
The implementation of technical security is about the organizational acceptance of risks vs. opportunities and benefits. Underlying cryptographic technologies are malleable if architects are given the chance to map it properly to our best organizational philosophy but they can also be rigid and brittle if the design and implementation of cryptography is simply defined in terms of a standard. This too should be an integral part of the risk benefit equation. In the end it should be the vision of the security we choose and not merely the mathematics of cryptographic algorithms which determine our organizational fate.
Copyright (c) 2001-2007 RDFollendoreIII All Rights Reserved