Security, Human Nature and Location

The natural reaction to wanting more security is to create a perimeter and guard it. Many security paradigms are virtualizations of that very human reaction, and that's why they are doomed to failure except at very small scale...

Business models today require access to be available to the "right people" from anywhere they happen to be, using any medium or device they happen to have available. And there's no turning back from this trend. Networks defeat location based security paradigms beyond a small scale.But security is a requirement, so we put tremendous effort into creating it - often without realizing that what we are doing can't succeed in the long run.

In the physical world, most methods of providing security are location based. First we establish a perimeter. Then we monitor it and check people as they cross that perimeter, blocking off access to the secured location except through the monitored pathways. This relationship between security and control of a physical space is "wired in" to people, as is revealed by their first reactions when something goes wrong. "Something's missing! Lock the room and search everyone!" "We have an intruder! Call out the guards and frisk everyone who comes in or out!" "Lock this place down!"

That's human nature, so it's not surprising that many network security paradigms are essentially virtualizations of such physical security paradigms. Create virtual perimeters, "lock them down" using such concepts as firewalls, proxies, etc. and then install intrusion detection and monitoring.

Networks of networks, however, will defeat such paradigms beyond a very small scale. Its their job to find pathways around obstacles, and they are very good at it. Once you "open a pathway" you lose control. In fact, you often no longer can be sure you know where the pathways even are, as the combinations of connections multiply exponentially. As the number of nodes "inside a perimeter" becomes bigger than a small building, it rapidly becomes difficult to establish whether threats are more likely to arise from "outside" than "inside" that perimeter, and the perimeter starts to dissolve.

The result is that virtual "locations" become ill defined and porous unless they remain fairly small in scope. At its global scale with easy, low cost public access, the internet has "punctured the sandbox" of safety in which enterprise applications have been built, and it has undermined the ability to manage systems and assure security for corporate data and transactions through the virtualization of physical security paradigms.

The key to security thus becomes finding methods that allow you to keep most doors open, but know who is doing what and on a transaction by transaction basis decide if what they are doing is within your risk tolerance as defined by your (probably many interacting) policies. Because every transaction is now individualized and personalized, methods must be developed to distribute management and enforcement of access control without compromising security. Networked computing must move to a non-location based distributed security model that allows precisely the right person to have the right access to the right resource for the right amount of time.

Examining the mission - letting the right people have access to the right data at the right time - reveals the ultimate paradigm that must be used to assure network security as location becomes irrelevant. It is identity, because that's all that remains. So as we move past the "traversing the firewall" stage, through the "semi-permeable firewall" into the "why are fighting our security infrastructure again?" stage, security must become (and is becoming) a sub-set of identity.

The good news is that in the past couple of years several new technologies have arisen that allow such paradigms to be implemented in a mangeable fashion. In future entries we'll examine several of them to see how identity based security techniques can replace virtualized location based techniques.

Along the way we'll discover that deriving security from identity opens up many other options for managing infrastructure, applications and data that make acheiving compliance possible while allowing new value to be released from networked computing.  In fact, security turns out not to be the biggest benefit of identity based computing.