Tuesday, June 1, 2010

A false sense of security

I have contended for several years that security is a quality factor. It sounds like a simple statement but both security and quality are nebulous things. It's actually a statement that requires a lot of understanding, and although many people see quality, and security as separate things they are in fact deeply intertwined. Privacy too is an attribute that can be included alongside security as a quality factor.
You know Quality when you have it. Whether you're considering buying the latest iPad, a car, staying in a hotel room or hiring a carpenter and what Quality means to you can be a very personal thing. If you haven't already read "Zen and the Art of Motorcycle Maintenance" a book written by Robert Pirsig in the '70's whose job at the time was writing computer manuals. I recommend it as it provides some very nice insights into the philosophy of Quality. It’s a philosophical book and discusses how Quality cannot be defined. Similarly, I contend, neither can security nor privacy.
However, there are many quality factors that can be recognized as contributing to Quality. They are different for everyone although many are shared between people. I see examples of people considering quality factors every day. In the last two weeks I have been observer of people in the process of buying a house. One considered very deeply what the effect would be in the longer term on his lifestyle and how that would be affected. Another considers items such as “are the sinks the right height?”, “is the stove a gas one?”, “is it close to a noisy road?” and has many other such detailed items on the list, A third's list was short; “the apartment must be on the top floor and must have a garage”. People's overt recognition of their own quality factors reflect their values at the time and help them to make decisions.
Such philosophical discussion has given us some real-world insights, tools and techniques. The quality movements of TQM and Six-Sigma are examples, and their goals are such that an understanding of such quality factors is important to organizations providing products and services. Getting the details right help position your product or service to the intended users and supply “Quality” to them. They will have an effect on customer satisfaction and hence success and failure in the material world.
What does this mean to security and privacy? Well there are many things to consider. One of the most important things to realize is that in many cases people do not put security or privacy on their list as a quality factor. These are two things that should be provided without thinking or much discussion. Their presence is assumed but typically does not engender accolades; their absence becomes a huge negative quality factor and causes great dissatisfaction. Because security and privacy are assumed to be present they are often not explicitly stated on non-security experts' lists of quality factors or discovered during market research of the same. If you don't believe me, search for "quality factors", "software quality factors", "service quality factors" or "system quality factors" and try to find a list that includes confidentiality, integrity and availability, or for that matter privacy.
A current example of the practical repercussions of missing such unstated quality factors is the Facebook privacy issues. Facebook users are sending a clear message, "We want the Facebook Service to provide privacy protection". The service is intended for the masses and most users are not security or privacy experts, they haven't clearly thought about what they want, but they do know when they haven't got it! Putting to one side for a moment any specific bugs and security flaws, Facebook seem to have missed the mark on understanding that their users expect and need - That they don't want to spend their time going through many parameters and thinking how that effects them and what the repercussions mean. They expect security and privacy to be built in.
I am proud to work for a well-respected security services company. In a nutshell atsec's service is helping people assess the security that their organizations provide to their customers. It includes not just their products and services, but also the security posture of their organizations. We perform everything from detailed evaluations of security functionality for products to providing consultancy to an organization on its own security policies. We have some agreed mechanisms to do this for example using Common Criteria or through conformance testing to specific standards such as those intended to insure that the basic security requirements for devices such as cryptographic modules and identity cards are implemented correctly. We also perform assessments on organizations and applications for PCI using their own standards or use internationally agreed standards such as ISO/IEC 27001 to assess everything from large data centers to small companies providing legal services.
Why does this business exist? Often because, somewhere, security is on someone’s list. For some organizations security is definitely on the list of quality factors. For example, government agencies often include very specific requirements because usually it is a government's mission to provide security to its citizens. Organizations supporting government missions also therefore include security requirements, often because the government has explicitly included them "shall conform to FIPS 140-2" for example, and we see a variety of policies and mandates enacting that.
One mistake that sometimes our potential customers make is that by having some security assurance certificate or report that they can demonstrate that there product is completely secure. This is not true, what we provide to our customers, and in turn to their users is assurance. That is a measure of the quality of the security functions that we examine. Assurance is a quality factor, but it is not security. We cannot demonstrate that the specification is made in the proper context, and very rarely do we get an opportunity to test a complete system in the context of its actual use. An old adage in the quality world is "You can't test quality in". Neither can you "test security in."
Considering security and privacy as quality factors is not a new phenomenon, but they often fail to be considered, perhaps because tools like TQM, Six Sigma, requirements analysis and use-case specifications have not included considering security and privacy as key quality factors at the highest levels.
A good example from recent years is the consideration of the development of new technologies providing innovative products and services taking advantage of the rapidly developing resources available via the Internet. The growth of Software as a Service (SaaS) and mobile apps are two such examples, but there are many others. Providers have not understood at the outset that even though it's not stated that their customers expect security and privacy to be provided, that it must be one of their quality factors. For SaaS we saw several services develop quickly on a commercial mass market base. Security and privacy were unstated quality factors rarely cited amongst other quality factors "redundancy, price, less overhead..." or if security and privacy were included they were often not properly understood. So we see pleas from experts to consider this: Paul Roberts provided a very nice example, a summary of this topic at the 2006 RSA in eweek.
As such products and services become successful the lack of early consideration of security and privacy becomes a problem to the provider. The user base has grown, certainly in numbers and possibly also to include a different cohort than originally conceptualized (For example it may now be used commercially or in government sectors rather than for private at-home users.) The service provided has become more critical to the users too as the positive quality factors provide advantages to them and the service becomes part of their own service provision. Perhaps an illusion of security is provided, the provision of a user name and password, and use of https (with the lock icon in the browser) gives the user the signals that he or she has been trained to look for, but most users (teenagers, grandparents, and those who live outside the professional tech-world) do not have the intuition, capabilities or inclination to look further and know if security and privacy that meets their needs is truly provided to them, they trust the provider to do that on their behalf and only react if it is not there. The recent Facebook issues already described are one such example but there are many more. The development of the health industry and subsequent security and privacy issues that were neglected in the provision of most related processes, service and products was retro-addressed through a small section of HIPAA, and when that wasn’t enough to make awareness of the importance of these quality factors caused the government to react with stronger measures through the HITECH act.
While occasional security bugs and flaws are expected and tolerated to some extent by end-users, ongoing confidence in the security and privacy attributes of the product or service becomes overtly more important to them. A lack of confidence in products and services by users quickly becomes lack of trust in the organization providing them. Countering this is hard and becomes very costly. Re-engineering presents a huge cost to the organization and combined with negative PR may even threaten an organizations continued existence or market position. There are competitors waiting in the wings who have already considered these quality factors, or who can now do so using the "new-found" knowledge of customer expectations and who can silently re-engineer their offering and present a better quality product or service to the market. Reputation and trust cannot be fully regained once lost.
Of course it is not possible outside of Utopia to totally eliminate poor Quality. It is however possible to improve the culture of Quality through education and increasing awareness. We need to include security and privacy as a quality factors in the common body of knowledge: in the arts and science of both IT and cyber product and service provision. Keeping security and privacy as separate disciplines is good for the specialist areas of development of the science and for providing the expertise needed to the development and service providers, but it does not replace the need for an awareness of these factors to be apparent at the early conceptual stages by technological entrepreneurs.
Standards have been developed organized around each discipline, but each misses the fact that Quality embraces all. A common problem within security standards organization is the struggle encountered when such disciplines, each with their own community of experts overlaps.
As one small example including “security” or “privacy” fundamentals as quality factors in ISO 9126, which is a technical report used as the basis for many software development related fields of endeavor , is used in many academic courses of study, and features in many contemporary discussions and papers on software quality, would improve the consideration of security by many product and service providers. There are many other such examples in all three disciplines.
Full compliance with ISO 9001, ISO/IEC 27001, PCI DSS, undergoing a Privacy-Impact-Assessment or complying with any other focused standard or specification is unlikely to magically make your organization meet the expectations and satisfy the values of your customers, neither does adding a plethora of security functionality to a product, or to implement every control or safeguard invented. My colleague Helmut Kurth points out that “more security isn’t better security and that very often the opposite is true”, this is a statement of security as a quality factor.
Quality is nebulous and sometimes ephemeral. Some quality schemes are popular today and in the second half of the 20th century such as TQM and Six-Sigma have been, naturally, confused with Quality. Quality embraces many disciplines including the quality, security and privacy disciplines. They are not separated, they all part of Quality and should be considered together in meeting the overall needs of users who are part of the IT and communications revolution.

Fiona Pattinson

No comments:

Post a Comment

Comments are moderated with the goal of reducing spam. This means that there may be a delay before your comment shows up.