Monday, February 12, 2007

Security Minus the Castle Metaphor Equals ... ?

So, I was reading this book the other day which was, for the umpteenth time, explaining "how is [information] security like a castle." You know, all the usual stuff about the walls, gates,  inner fortress, moat, archers, tripwires, mantraps, vandals outside and malignant insiders - where else? -  inside, etc which are commonly mentioned when people talk about this immortal  metaphor. However, are we taking this one too far? Just as a mental exercise, let's think: how is modern information security NOT like a castle? Before you throw your brain into overdrive to ponder this question :-), why do we care? We do, because I think that "the whole castle thing" is getting counter-productive in some respects and limits the progress in the field of information security. There is way too much castle-building going on already :-)

Let me drop a few that I thought about, some obvious and some hopefully less so :-) 

  • An obvious one that has to do with the nature of information security vs physical  castle defense- you can "lose everything" without "losing anything" (in case of an undisclosed information theft)
  • Another one: castle defense is inherently static; not much of "active defense" is possible since in the end it boils down to either a prolonged siege or a quick bloody assault. Similarly, organization's network is not going anywhere, but information might be defended more dynamically (if I knew how exactly,  I might be launching a new company now :-))
  • Audit matters much more in networks than at castles; if your castle security is breached, there is usually nobody left to do audit trail or log analysis
  • Here is the opposite: castles has security tools and features "built-in", modern networks - mostly "bolt-on"...
  • Many quote the growth of "de-peremetrization" or broader decentralization of security as something that moves security away from the castle metaphor, but, on some level, having one huge castle (in the form of an enterprise network) vs having clusters of "tiny castles" (in the form of "self-defending documents" or whatever similar protected bits of data) is still talking walls and gates

Any ideas, thoughts, anything? 

2 comments:

Anonymous said...

You forgot about the peasants. ;-)

I recently blogged (http://monduke.com/2007/01/31/unconventional-warfare/) about this very problem but from a different angle. I admit that I did use the tired castle/security analogy but I sprinkled in peasants which are at the heart of my take on the castle scenario. Even so, I think the castle analogy works for the bulk of the security techniques we have today. In other words, the analogy generally works for network security.

However, it's your first bullet point and the fact that bad guys acting like peasants (or "users" if you must) is the problem today. And as you stated, the analogy definitely breaks down there. The trouble really starts when there is no distinction between the actions of a legitimate user and a nefarious one. You could lose your crown jewels from someone cleverly using the normal functions of your application particularly when the application has some chinks in its armor such as an XSS vulnerability.

Essentially, my conclusion was that developers need to reduce the attack surface of their applications through education. Unfortunately, I can't think of a good castle analogy for that.

Anonymous said...

Several more reasons why the Castle analogy no longer applies (if it ever did):

1) Comparing Info Sec to a castle fails to address other forms of governance. There are many organizations whose operations aren't well matched by the Kingdom/Fiefdom metaphor inherent in the Castle analogy. The Castle analogy may, at one time, have been legitimate for businesses protecting trade secrets and other proprietary information. To my mind, however, it has never been a valid analogy for inherently more open systems (Universities would be one example). Most organizations now have "crown jewels" in the sense that they store sensitive information, required for the conduct of business, which must be protected. However, much of the information generated by a University must be able to flow freely around the world and cannot be locked away in the tower. Likewise, businesses who would not allow information to flow freely must still accommodate some manner of controlled information flow. Perhaps it's time to leave the Castle behind and begin talking about how we defend the Bazaar, wherein there would not be one set of "crown jewels" but many valuables in many locations. This analogy is equally flawed, but may be getting closer to the truth of the matter.

2) Even if the Castle analogy did apply to businesses at one time, it no longer adequately represents the day-to-day functioning of an enterprise engaged in numerous partnerships and other joint ventures. Under these new circumstances, the "crown jewels" may not be owned by a single monarch, but shared among allied nations. These joint secrets suggest that we now have to incorporate issues of transport into our analogy. Likewise, we have to consider the expanding geography: the "crown jewels" are no longer permanently locked in the tower, but move about through the kingdom and beyond. And now we're into couriers, armies and armadas. Which brings us to the problem inherent in analogies: they stop being useful when they stop being simple.

3) We also have the problem of entrances. Typically, a castle has a very minimal complement of entrances to defend. While this would ideally be true of our networks, even under the best circumstances, a given network will have far more entry points to defend (even if we don't count physical entry points) than your typical castle, and usually with fewer guards. :)

Dr Anton Chuvakin