Many of my more recent posts on Information Survivability and the death of the TERM Information Security have focused on bringing attention to the assertion that the current definition and scope of "Information Security" is causing resources, money and effort to be focused on solving the wrong sets of problems, or at least those that are missing alignment to the business.
The world has evolved and yet the manner in which we attempt to secure it has not.
Specifically, "Information Security" has, for the most part, become very narrow and technically-focused. As computing and the manner in which we create, access and use information have become more and more distributed and decentralized, the model of "Information Security" continues to operate in a very archaic centralized manner (ye olde Castle/Moat paradigm.)
I think it's fair to assume that folks grok that "Information Security" is classically defined as the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.[1] The model is clearly built upon the "holy trinity" of Confidentiality, Integrity and Availability (CIA.) There is little merit in debating the utility or efficacy of this model as it is generally useful and reasonable. However, as a model, it is also an incomplete definition of the problem set it seeks to solve.
It's very important to recognize that I'm not saying that Information Security is "wrong" or that the operational practitioners that are in the trenches every day fighting what they perceive to be the "good fight" are doing anything wrong. However, and as Rich Mogull so eloqently described, we've lost the language to describe what it is we should be doing and the title, scope, definition and mission of "Information Security" has not kept up with the evolution of business, culture, technology or economics.
"Information Survivability" is a model which represents a superset of "Information Security." It focuses on bringing together the tenets of the CIA triumvirate with the business-focused practices of risk management as an enterprise-wide discipline. Today, "Information Security" focuses on providing technical solutions designed to defend against threats targeting vulnerabilities. There is little context of business impact, risk or the fact that many of the problems we face in "securing" information are actually social issues not technical ones which require different ways of thinking about solving problems.
One of the seminal reference works which describes Information Survivability is a paper written in 2002 by Julia Allen and Dr. Carol Sledge from Carnegie Mellon's Software Engineering Institute. In their paper titled "Information Survivability: Required Shifts In Perspective," Allen and Sledge describe a (then) new model for integrating the business' perspective, risk management practices, and embracing disruptive innovation and technology shifts whilst ensuring the survivability of critical information and systems.
If you read this paper I believe you'll draw both parallels and recognize the differences in thought, execution and relevance between Information Survivability and Information Security. This work was really well ahead of its time. Here are some snippets from the paper. Remember, this was written back in 2002.
Organizations today are part of an interconnected, globally networked environment – one that continuously evolves in ways that cannot be predicted. What effect does this environment have on the survivability of the mission of an organization? To improve survivability, organizations must shift their focus from a more information security-centric perspective to one that includes an information survivability-centric perspective.
Survivability, an emerging discipline, incorporates a new technical and business perspective on security, creating solutions that focus on elements such as the continuity of critical services. In terms of solution space, security takes a technology centric point of view, with each new technology solving a specific set of issues and concerns that are generally separate and distinct from one another. Survivability takes a broader, more enterprise-wide point of view looking at solutions that are more pervasive than point-solution oriented.
Survivability is defined as the capability of a system to fulfill its mission, in a timely manner, in the presence of attacks, failures, or accidents to ensure that the right people get the right information at the right time. A survivability approach combines risk management and contingency planning with computer security to protect highly distributed information services and assets in order to sustain mission-critical functions. Survivability expands the view of security from a narrow, technical specialty understood only by security experts to a risk management perspective with participation by the entire organization and stakeholders.
To improve the survivability of the organization's mission, senior management must shift its focus and that of the organization from an information technology (IT)-based, security-centric, technology solution perspective, to an enterprise-based, survivability-centric, risk management perspective.
To underscore the need for change in thought space, Allen and Sledge define seven shifts in perspective that are essential in grasping the difference between "security" and "survivability" and reflect quite eerily the exact state of the challenges we face today:
- Central to Global
Systems that are centrally-networked under organizational control with full
visibility are shifting to systems that are globally-networked with no well-defined
boundaries, limited (if any) visibility and no centralized management or control. - Bounded to Unbounded
Systems that have well-defined geographic, political, cultural, and legal or jurisdic-
tional boundaries are shifting to systems characterized by the absence of these boundaries.
Centralized administrative control with trustworthy, known, inside users evolves
to systems with distributed administrative control without central authority and
unknown users. - Insular to Networked
Viewing systems as insular and fortress-like, to viewing systems as being net-
worked and interdependent; the ability to distinguish between insiders and outsiders
decreases. Outsider roles go from being well-defined to the realization that an out-
sider can be a customer, collaborator, partner, contractor, or vendor; outsider
access to the network changes based on that role. - Predictable to Asynchronous
Describes the shift wherein processing events that happen in predictable, prescribed
sequences and patterns with predictable loads, to one where events often occur
asynchronously, independent of time sequence with unpredictable loads. - Single Responsibility to Shared Responsibility
Progress from single responsibility to shared organizational responsibility to distributed
responsibility. This is a shift from having a single point of known responsibility to
correct failures, to having shared sometimes unknown responsibility. - Overhead to Essential
The sixth shift in perspective is from viewing security as an overhead activity
and expense, to viewing survivability as an investment that is essential to the
organization, along with ensuring that there is always a contingency plan. It
reflects a change of view. Instead of security being IT’s responsibility, with IT and
the CIO constantly having to justify their budget for security, survivability is regu-
larly reviewed and discussed in senior-level management meetings and is accepted
by all as part of being in business. - Security to Survivability
The seventh shift in perspective is from technologic IT-based solutions to enterprise-wide, risk-management solutions. Instead of viewing security as a narrow, technical specialty
accessible only to experts and focusing on the protection of specific components, survivability
is embraced as a risk-management perspective that requires involvement of the whole organization and focuses on the survival of the mission rather than a particular component.
Senior managers must change their view that “protecting the network is a matter of listening
to the right experts and installing the right technology solutions.”Rather, their declared view is that “the survival of the mission depends on the ability of the network to provide continuity of service, albeit degraded, in the presence of attacks, failures, or accidents.”
The shift is indicated by the absence of silver-bullet thinking. It is replaced by understanding that this is a long-term, continuous activity required for the success of the organization.
If you're interested in a graphical format, you should most definitely check out "Concepts and Trends in Information Survivability" as it's a wonderful illustrated presentation that highlights the concepts above.
You should also check out Howard Lipson and David Fisher's excellent paper titled "Survivability -- A New Technical and Business Perspective on Security."
I also liked Dr. Wm. A. Wulf of the National Academy of Engineering's testimony before the US House of Representatives in 2001 titled "Cyber Security: Beyond the Maginot Line" I think I've been channeling him for quite some time now ;)
I've received about a dozen emails suggesting that Information Survivability just focuses on availability. I would hope that it's clear this is not the case and in fact availability is one component of survivability.
I'll post more relevant background on Information Survivability soon but I thought this would give you something to chew on for a while.
/Hoff
*Picture at top left from 2006 Cyber Security and Information Infrastructure Research Workshop