Monday, February 12, 2007

Security Minus the Castle Metaphor Equals ... ?

So, I was reading this book the other day which was, for the umpteenth time, explaining "how is [information] security like a castle." You know, all the usual stuff about the walls, gates,  inner fortress, moat, archers, tripwires, mantraps, vandals outside and malignant insiders - where else? -  inside, etc which are commonly mentioned when people talk about this immortal  metaphor. However, are we taking this one too far? Just as a mental exercise, let's think: how is modern information security NOT like a castle? Before you throw your brain into overdrive to ponder this question :-), why do we care? We do, because I think that "the whole castle thing" is getting counter-productive in some respects and limits the progress in the field of information security. There is way too much castle-building going on already :-)

Let me drop a few that I thought about, some obvious and some hopefully less so :-) 

  • An obvious one that has to do with the nature of information security vs physical  castle defense- you can "lose everything" without "losing anything" (in case of an undisclosed information theft)
  • Another one: castle defense is inherently static; not much of "active defense" is possible since in the end it boils down to either a prolonged siege or a quick bloody assault. Similarly, organization's network is not going anywhere, but information might be defended more dynamically (if I knew how exactly,  I might be launching a new company now :-))
  • Audit matters much more in networks than at castles; if your castle security is breached, there is usually nobody left to do audit trail or log analysis
  • Here is the opposite: castles has security tools and features "built-in", modern networks - mostly "bolt-on"...
  • Many quote the growth of "de-peremetrization" or broader decentralization of security as something that moves security away from the castle metaphor, but, on some level, having one huge castle (in the form of an enterprise network) vs having clusters of "tiny castles" (in the form of "self-defending documents" or whatever similar protected bits of data) is still talking walls and gates

Any ideas, thoughts, anything? 

Dr Anton Chuvakin