We're running out of things that security technology can do without corresponding improvements in security behavior. Therefore, it's no accident that the center of gravity of the infosecurity profession is evolving away from a purely technical approach. This isn't just the latest swing of the pendulum between machines and people -- it's a change to a more mature mindset, giving us the conceptual tools we need to maximize reduction in risk at the minimum cost. We're moving up the stack, beyond the application layer, to the biological layers.
The seven layers of the Open System Interconnection (OSI) model were never fully implemented, but the insight that this conceptual model brought to the understanding of networks has proven vital in analyzing and reducing information risk. Each layer is discrete, handshaking and interfacing with its matching counterpart layer across the network, and interfacing with the layers above it and below it on a networked system. Like a stack of Lego blocks, the functions operating at the various layers are mostly oblivious to the existence of other layers, aside from the immediate top and bottom neighbors, providing an extraordinary amount of flexibility and simplifying the design and maintenance of complex systems.
This model helps us to understand the ramifications of applying security mechanisms within the different layers. The lower the layer, the more transparent the security service, but the narrower the span of protection provided -- both topologically and chronologically. Security services at relatively higher layers, such as those within XML, can almost provide true end-to-end security, during storage as well as transmission.
The notion that humans communicating through networked systems constitute a "layer eight" is hardly controversial. In fact, much good-natured debate revolves around just how many bio layers there actually are, with suggestions including money, politics, culture, process, perception and memory. We are benefiting from the growing awareness that people and their institutions are functionally part of the network-supported communications infrastructure. Consequently, our field is outgrowing the unproductive "tastes great/less filling" argument between technicians and bureaucrats.
Understanding information risk management in terms of a human/machine duality is outmoded and unproductive thinking. While it's fair to say that people tend to specialize in terms of managing machines or managing people, it isn't as useful as saying that each of the many different layers supporting a network communication is managed by different specialists, interacting in our bio layers. Firewalls typically are managed by network administration, Web servers by system administration and organizational processes by department heads. Moreover, this dynamic is strongly influenced by organizational culture and individual knowledge.
Ironically, the word "protocol" was borrowed by computer science as a metaphor for the handshaking taking place between the corresponding layers of communicating computers. Originally, it described the conventions used by diplomats to increase the level of trust between negotiating parties. Distracted by the challenge of programming protocols for the software-based layers, infosecurity has neglected the need to design and manage protocols at the human layers.
We are each responsible for ensuring that our piece of the stack provides appropriately robust security services to layers above our layer and for ensuring that our layers are carrying out the proper trust negotiations with corresponding layers on communicating systems. It's a holistic view of infosecurity in which risk is evaluated, understood and managed at an optimal level. Security practitioners are welcome, and often encouraged, to concentrate their attention on a single layer, but none of us can be successful with blinders on.
Its understandable that in the past we avoided these human layers. That high in the stack, they don't offer much transparency, and you can't change a human protocol just by changing some code. But the first seven layers absolutely can't provide end-to-end security. The new and exciting infosecurity challenges don't require coders -- they require behavioral specialists.
Jay Heiser, CISSP, is a London-based security analyst with TruSecure Corp.