A Primer on Information Survivability: Changing Your Perspective On Information Security
Many of my more recent posts on Information Survivability and the death of the TERM Information Security have focused on bringing attention to the assertion that the current definition and scope of "Information Security" is causing resources, money and effort to be focused on solving the wrong sets of problems, or at least those that are missing alignment to the business.
The world has evolved and yet the manner in which we attempt to secure it has not.
Specifically, "Information Security" has, for the most part, become very narrow and technically-focused. As computing and the manner in which we create, access and use information have become more and more distributed and decentralized, the model of "Information Security" continues to operate in a very archaic centralized manner (ye olde Castle/Moat paradigm.)
I think it’s fair to assume that folks grok that "Information Security" is classically defined as the protection of information and information systems from unauthorized
access, use, disclosure, disruption, modification, or destruction.[1] The model is clearly built upon the "holy trinity" of Confidentiality, Integrity and Availability (CIA.) There is little merit in debating the utility or efficacy of this model as it is generally useful and reasonable. However, as a model, it is also an incomplete definition of the problem set it seeks to solve.
It’s very important to recognize that I’m not saying that Information Security is "wrong" or that the operational practitioners that are in the trenches every day fighting what they perceive to be the "good fight" are doing anything wrong. However, and as Rich Mogull so eloqently described, we’ve lost the language to describe what it is we should be doing and the title, scope, definition and mission of "Information Security" has not kept up with the evolution of business, culture, technology or economics.
"Information Survivability" is a model which represents a superset of "Information Security." It focuses on bringing together the tenets of the CIA triumvirate with the business-focused practices of risk management as an enterprise-wide discipline. Today, "Information Security" focuses on providing technical solutions designed to defend against threats targeting vulnerabilities. There is little context of business impact, risk or the fact that many of the problems we face in "securing" information are actually social issues not technical ones which require different ways of thinking about solving problems.
One of the seminal reference works which describes Information Survivability is a paper written in 2002 by Julia Allen and Dr. Carol Sledge from Carnegie Mellon’s Software Engineering Institute. In their paper titled "Information Survivability: Required Shifts In Perspective," Allen and Sledge describe a (then) new model for integrating the business’ perspective, risk management practices, and embracing disruptive innovation and technology shifts whilst ensuring the survivability of critical information and systems.
If you read this paper I believe you’ll draw both parallels and recognize the differences in thought, execution and relevance between Information Survivability and Information Security. This work was really well ahead of its time. Here are some snippets from the paper. Remember, this was written back in 2002.
Organizations today are part of an interconnected, globally networked environment – one that continuously evolves in ways that cannot be predicted. What effect does this environment have on the survivability of the mission of an organization? To improve survivability, organizations must shift their focus from a more information security-centric perspective to one that includes an information survivability-centric perspective.
Survivability, an emerging discipline, incorporates a new technical and business perspective on security, creating solutions that focus on elements such as the continuity of critical services. In terms of solution space, security takes a technology centric point of view, with each new technology solving a specific set of issues and concerns that are generally separate and distinct from one another. Survivability takes a broader, more enterprise-wide point of view looking at solutions that are more pervasive than point-solution oriented.
Survivability is defined as the capability of a system to fulfill its mission, in a timely manner, in the presence of attacks, failures, or accidents to ensure
that the right people get the right information at the right time. A survivability approach combines risk management and
contingency planning with computer security to protect highly
distributed information services and assets in order to sustain
mission-critical functions. Survivability expands the view of security
from a narrow, technical specialty understood only by security experts
to a risk management perspective with participation by the entire
organization and stakeholders.
To improve the survivability of the organization’s mission, senior management must shift its focus and that of the organization from an information technology (IT)-based, security-centric, technology solution perspective, to an enterprise-based, survivability-centric, risk management perspective.
To underscore the need for change in thought space, Allen and Sledge define seven shifts in perspective that are essential in grasping the difference between "security" and "survivability" and reflect quite eerily the exact state of the challenges we face today:
- Central to Global
Systems that are centrally-networked under organizational control with full
visibility are shifting to systems that are globally-networked with no well-defined
boundaries, limited (if any) visibility and no centralized management or control. - Bounded to Unbounded
Systems that have well-defined geographic, political, cultural, and legal or jurisdic-
tional boundaries are shifting to systems characterized by the absence of these boundaries.
Centralized administrative control with trustworthy, known, inside users evolves
to systems with distributed administrative control without central authority and
unknown users. - Insular to Networked
Viewing systems as insular and fortress-like, to viewing systems as being net-
worked and interdependent; the ability to distinguish between insiders and outsiders
decreases. Outsider roles go from being well-defined to the realization that an out-
sider can be a customer, collaborator, partner, contractor, or vendor; outsider
access to the network changes based on that role. - Predictable to Asynchronous
Describes the shift wherein processing events that happen in predictable, prescribed
sequences and patterns with predictable loads, to one where events often occur
asynchronously, independent of time sequence with unpredictable loads. - Single Responsibility to Shared Responsibility
Progress from single responsibility to shared organizational responsibility to distributed
responsibility. This is a shift from having a single point of known responsibility to
correct failures, to having shared sometimes unknown responsibility. - Overhead to Essential
The sixth shift in perspective is from viewing security as an overhead activity
and expense, to viewing survivability as an investment that is essential to the
organization, along with ensuring that there is always a contingency plan. It
reflects a change of view. Instead of security being IT’s responsibility, with IT and
the CIO constantly having to justify their budget for security, survivability is regu-
larly reviewed and discussed in senior-level management meetings and is accepted
by all as part of being in business. - Security to Survivability
The seventh shift in perspective is from technologic IT-based solutions to enterprise-wide, risk-management solutions. Instead of viewing security as a narrow, technical specialty
accessible only to experts and focusing on the protection of specific components, survivability
is embraced as a risk-management perspective that requires involvement of the whole organization and focuses on the survival of the mission rather than a particular component.Senior managers must change their view that “protecting the network is a matter of listening
to the right experts and installing the right technology solutions.”Rather, their declared view is that “the survival of the mission depends on the ability of the network to provide continuity of service, albeit degraded, in the presence of attacks, failures, or accidents.”The shift is indicated by the absence of silver-bullet thinking. It is replaced by understanding that this is a long-term, continuous activity required for the success of the organization.
If you’re interested in a graphical format, you should most definitely check out "Concepts and Trends in Information Survivability" as it’s a wonderful illustrated presentation that highlights the concepts above.
You should also check out Howard Lipson and David Fisher’s excellent paper titled "Survivability — A New Technical and Business Perspective on Security."
I also liked Dr.
Wm. A. Wulf of the National Academy of Engineering’s testimony before the US House of Representatives in 2001 titled "Cyber Security: Beyond the Maginot Line" I think I’ve been channeling him for quite some time now 😉
I’ve received about a dozen emails suggesting that Information Survivability just focuses on availability. I would hope that it’s clear this is not the case and in fact availability is one component of survivability.
I’ll post more relevant background on Information Survivability soon but I thought this would give you something to chew on for a while.
/Hoff
*Picture at top left from 2006 Cyber Security and Information Infrastructure Research Workshop
"Specifically, "Information Security" has, for the most part, become very narrow and technically-focused. As computing and the manner in which we create, access and use information have become more and more distributed and decentralized, the model of "Information Security" continues to operate in a very archaic centralized manner (ye olde Castle/Moat paradigm.)".
The model is not the only problem, but customers expectations of these products as well, where they expect security to be an absolute. Security products do not provide a deterministic outcome of success, but the market expectation is out of line with reality. If I buy a rain coat, I know it is rain resistant and not rain proof, and I also know it’s not going to keep my feet dry. So why do companies who buy firewall and anti-virus and expect to be secure? How much of our problem is simply awareness?
I certainly see how the approach differs from IT Security in the past, but how does the model differ even offer what risk management over IT security would? I mean, its a nice graph and all, but where do the fear, uncertainty and doubt vectors go?
For me the entire 'Mission' concept just seems backwards to me as well. We have mission statements today, often in the form of project requirements, and the mission is usually 'availability'. That means confidentiality falls into the crack on the sofa, not to be seen again unless we go hunting for spare change. My mission may be to go to the moon, but survival of the astronauts is they key priority. These two may be at odds (If you have read Tom Wolfe's The Right Stuff, you know what I am talking about), but the research you presented seems to link them together.
Final food for thought is this: we do risky things in order to make money. Ask any bank and they will tell you that is their business model. They lend money and sometimes they don't get paid back. It is a risk, but on the whole it works out. The challenge is to balance the risk and the reward, and to do that you need to go through a survivability process to quantify the risks.
Don't get me wrong, the approach has some great uses. In the IT executive role, what a great way to show my boss the wonderful things I am doing, and how the networks are efficiently set up against a myriad of threats in a cost effective way (can I have a raise/budget now?). But I think Rich Mogull's original post was pointing out that security has limitations that just can be solved by another techno-gadget or better crypto algorithm with a longer key length. It could well be a lack of research on my part, but while I recognize this mindset as a general improvement, I am still not sold that this approach is either novel or wholly appropriate. Just my two cents worth.
Oh, the "Survivability — A New Technical and Business Perspective on Security." link appears to be broken.
Hey Adrian:
On your point regarding customer expectations, I wonder two things: (1) can you define which customer you mean? The Enterprise CISO/CSO or the consumer? (2) Whose fault is that, exactly?
I think you bring up a good point about Information Survivability versus what risk management brings to IT security. I'd say they are very close. The problem is most people don't manage risk and when they do, it's usually outside of IT Security.
Survivability is really an expression of managing risk but it's not fixated on technology alone. Interestingly, CMU/SEI are the same organization that gave birth to the OCTAVE Risk Assessment model that I like and use…for the same reasons.
In terms of the "mission" it's really derived from the military terminology, which is why it may be slightly off-putting. I don't really like it either, and were I to rewrite some of this (it came from DARPA funded research) I would choose to use other verbiage.
One thing I don't get…why is it you seem to think that Rich and I are somehow diverged on our approach here? Specifically, where exactly is it that you think I am advocating the next greatest whizbang piece of technology to solve social problems?
In fact, I flat out state the opposite in this post (above) "…There is little context of business impact, risk or the fact that many of the problems we face in "securing" information are actually social issues not technical ones which require different ways of thinking about solving problems."
Further, did you miss my other 4-5 posts decrying the technology-centric focus of Information Security and how Survivability specifically advocates NOT doing so?
Rich's "original" post was in response to mine, btw…
Lastly, nobody (esp. me) said this was novel…it's research that's been going on for years, but it's largely ignored. Why? Because it's hard and it means not relying on the next silver bullet (that will never come anyway.)
Color me confused, but either I suck so badly at making a point (could very well be) or you only read 1 out of every 10 lines (I know you, that could be too. HA!)
Checking link… Thanks.
/Hoff
This is probably talked about in one of the links I'm too busy/lazy to go read right now, but indulge me:
If the goal is for the mission for information to survive, then at what point do we declare the information to be "dead"?
I read every line, but only every eight word. 🙂
And yes, before you ask, I also got the sense that availability was the focus of the research despite the assertions in the paper to the contrary, as all of the examples provided (Farmer, Galaxy-4, Lifeboats, etc)in the Lipson & Fischer paper list redundancy. I freely admit I have not yet read through rest of the research presented, just what I can link to.
"(1) can you define which customer you mean?". – The majority of people outside of security but inside IT. Those who know enough to conceptually understand what a product's intent, but not enough to know how it might be subverted.
"(2) Whose fault is that, exactly?" – I was not looking at fault, rather expectations.
"why is it you seem to think that Rich and I are somehow diverged on our approach here?" – Whoa … not what I meant or intended. I read Rich's post (http://securosis.com/2007/10/17/an-optimistically-fatalistic-view-on-the-futility-of-security/) as an observation on the state of security. I read your post as a possible approach to solve the problem. Not saying you two disagree, nor am I shooting the messenger, not saying you are prescribing more technology, only that I am not ready to leap into the Security Survivability pool … not yet anyway. The research sounds like an excellent description of the issues at large. You know as well as anyone that I have advocated a business focused (information) risk management model since 2004. But this: "Survivability is defined as the capability of a system to fulfill its mission, in a timely manner, in the presence of attacks, failures … " sets off alarms with me. Am I the only who who read it this way?
"There is little context of business impact, risk or the fact that many of the problems we face in "securing" information are actually social issues not technical ones which require different ways of thinking about solving problems." Perhaps my misunderstanding is first saying securing information is a social issue, and then describe the "mission depends on the ability of the network to provide continuity of service". Is that a social problem solved with technology? This is the thrust of my comment.
@Alex:
"If the goal is for the mission for information to survive, then at what point do we declare the information to be "dead"?"
I would suggest that if the information is ever described as "dead" then we've failed the mission…
But to your question, my answer is:
The moment it ends up not being delivered to the right people at the right time and causes the business harm beyond the tolerance defined by the organization's ability to sustain an impact that exceeds the system(s) capacity to deliver the required services to continue as an on-going concern.
The first reaction here is usually "Hey, that's just CIA." I'm going to entertain this notion outside of the comments in a separate post.
That's about as clear as I can get right now…fubar'd a rib in Jiu Jitsu class tonight (again.)
The link for "Information Survivability: Required Shifts In Perspective," is broken.
@Hoff: your graphic above is very pretty. I'd argue, though, that as a member of the organization I work for, I'm supposed to care about the performance and functionality axes along with everyone else. It's just that my sub-specialty, the job I get paid to focus on, is the CIA axis. But I have to support all three. If my solutions drag the others too far down, I'm not doing my job right.
"The moment it ends up not being delivered to the right people at the right time"
I guess that's where I'm confused. The data still "lives" beyond an incident. The mission still continues even though there has been compromise. Most times, you can't bury the data, think warm thoughts about the good times you had with it and then move on with life – you still have to use it and (re)protect it.
Don't get me wrong, I'm not antagonistic to the label of survivability or concept because I'm rather warm to a data-centric study of risk. I'm just trying to reconcile the language involved.
"There is little context of business impact, risk or the fact that many of the problems we face in "securing" information are actually social issues not technical ones which require different ways of thinking about solving problems."
Right, and further when security people talk about risk, they are usually talking about uncertainty and volatility. I use Buffett and Munger's definition of risk – the permanent loss of capital. Not that uncertainty and volatility are not important, but how you account for these things is different. Important distinction.
It seems like the focus here is less on technology, and more on process and risk management. How is this approach from ISO 27000, or any other ISMS? You use the word survivability instead of business process, however other then that it seems more similar then different.
Thanks!
lance
GRC – To Be or To Do
GRC (or Governance, Risk Management, and Compliance for the uninitiated) is all the rage, but I have to say I think that again Infosec has the wrong focus. My problem with making GRC the central part of Infosec programs is best summed up by Charles Har…