Tuesday, March 18, 2014

I'm up to here with Privacy!

Don't get me wrong, I like my Privacy! But everyone trying to legislate for it or protect it, are missing the slow creep of change. Security folks are even largely missing this change, though they might argue that they catch the real issue obliquely under the guise of the I or A in C.I.A. that is Integrity or Availability

 

But sadly Integrity or Availabilty do not cut it...

 

It's about Control, or more correctly the downside, ie "Loss of Control". Take a look at the real threat behind Advance Persistent Threats (APTs). Many of the famous one's had no interest in exfiltrating information, that is threatening Confidentiality or Loss of Privacy. They were about taking control of the assets they were attacking whether alternating rotational speed of centrifuges, in order to cause them to self destruct. or just prior to the attack on Iraq taking control of the Iraqi military Communications, Command & Control system.

 

In short Agency is the thing we should be maintaining and protecting not Confidentiality or Privacy. Basically because if the right entities are "In Control" of the right assets then most security problems are solved.

 

In order to keep control in the right hands, our focus should be on Identity, and Entitlement.

Watch the Jericho Forum Identity, Entitlement, and Access Management videos on YouTube.

 

Some call Entitlement; Rights Management, sadly this term has been discredited due mainly to the fact that initial "rights management" implementations were used by the music industry to reduce or control the rights of listeners asymmetrically, i.e. in a manner that is similar to the "Heads I Win, Tails You Lose" model of control.

 

Effective controls have to be symetrical, with the right entity being in control of the right assets, in order for this to occur, legislators should stop focussing on Privacy, and start focussing on Agency.

 

We are living in a world where Agency is being, at best reduced, at worst destroyed. Devices are being built and sold that Never give full control to their users. The early PC was Agency neutral, it arrived with no one in control, the owner could gain "Root" access to the device and take full control. more recently devices arrive that can never be controlled by the purchaser of the device. Sony took the control of their Play Stations away from their owners, Apple never gave iPhone Users control, they tried to keep it, "JailBreaking" being the only means of gaining true "Root" access.

 

Samsung Smart TVs are another example of a class of devices that denies control to their owners.

I blogged on this earlier.

 

Imagine, if you will a world where devices like for example an aeroplane could be configured to act in a manner not directed by the pilot or co-pilot. The current conundrum of the missing Malaysian Airline could well be explained by catastrophic loss of Agency. The communications, command and control systems on the plane are all controlled by software normally controlled by those in the cockpit. A malicious third party, or nation state may have inserted an APT that took control of the plane. Was this a trial run of a new form of terrorism?

 
Agency is far more important than Privacy. We need to focus on keeping control in the right hands.

 

It may turn out to be a pilots malicious actions, either way it is an Agency problem!

 

"He says typing on an iPad that he doesn't have full control of!"

 

(As I have stated before the word Agency is not being used here in it's more recent organisational construct.)

 

 

I'm up to here with Privacy!

Don't get me wrong, I like my Privacy! But everyone trying to legislate for it or protect it, are missing the slow creep of change. Security folks are even largely missing this change, though they might argue that they catch the real issue obliquely under the guise of the I or A in C.I.A. that is Integrity or Availability

But sadly Integrity or Availabilty do not cut it...

It's about Control, or more correctly the downside, ie "Loss of Control". Take a look at the real threat behind Advance Persistent Threats (APTs).  Many of the famous one's had no interest in exfiltrating information, that is threatening Confidentiality or Loss of Privacy. They were about taking control of the assets they were attacking whether alternating rotational speed of centrifuges, in order to cause them to self destruct. or just prior to the attack on Iraq taking control of the Iraqi military Communications, Command & Control system. 

In short Agency is the thing we should be maintaining and protecting not Confidentiality or Privacy. Basically because if the right entities are "In Control" of the right assets then most security problems are solved. 

In order to keep control in the right hands, our focus should be on Identity, and Entitlement.
Watch the Jericho Forum Identity, Entitlement, and Access Management videos on YouTube.

Some call Entitlement; Rights Management, sadly this term has been discredited due mainly to the fact that initial "rights management" implementations were used by the music industry to reduce or control the rights of listeners asymmetrically, i.e. in a manner that is similar to the "Heads I Win, Tails You Lose" model of control.

Effective controls have to be symetrical, with the right entity being in control of the right assets, in order for this to occur, legislators should stop focussing on Privacy, and start focussing on Agency.

We are living in a world where Agency is being, at best reduced, at worst destroyed. Devices are being built and sold that Never give full control to their users. The early PC was Agency neutral, it arrived with no one in control, the owner could gain "Root" access to the device and take full control. more recently devices arrive that can never be controlled by the owner of the device. Sony took control of their Play Stations away from their owners, Apple never gave iPhone Users control, they tried to keep it, "JailBreaking" being the only means of gaining "Root" access.

Samsung Smart TVs are another example of a class of devices that denies control to their owners.
I blogged on this earlier.

Imagine, if you will a world where devices like for example an aeroplane could be configured to act in a manner not directed by the pilot or co-pilot. The current conundrum of the missing Malaysian Airline could well be explained by catastrophic loss of Agency. The communications, command and control systems on the plane are all controlled by software normally controlled by those in the cockpit.  A malicious third party, or nation state may have inserted an APT that took control of the plane. Was this a trial run of a new form of terrorism? 


Agency is far more important than Privacy. We need to focus on keeping control in the right hands.

It may turn out to be a pilots malicious actions, either way it is an Agency problem!

"He says typing on an iPad that he doesn't have full control of!"

(As I have stated before the word Agency is not being used in it's more recent organisational construct.)