Information security professionals, such as myself and many of you, have, for years, been working on protecting information from unauthorized disclosure, modification and destruction. A plethora of technology complemented by processes has been developed and deployed through people who have been committed and trained. In all, an approach of “protecting information”—assuming information to be a hapless thing that needed to be “protected”—has been taken. We have never changed the view that information in whatever form was passive, helpless and needed specific measures from us to protect it. If “information” could participate in these efforts to secure it, could we do a much better job?
Intense contemplation about the nature of information security led me to think about how nature handles security.
I was at a neighborhood school one evening as school was letting out and hundreds of happy children were coming out of the gates. The parents who were waiting to pick up their children to take them safely home were keenly watching, trying to spot their child amidst the swarm of similarly sized and uniformed children who were streaming out. As I watched, it was often the children who spotted their parents and came running to them to be hugged and taken home. This was a very clear two-way process with intelligence to recognize each other being present and used by both the parent and the child. You will find similar scenes in nature—for example, when a baby penguin and its parent penguin pair correctly and get together amidst the sea of millions of seemingly similar looking penguins.
The analogy is compelling. If information (the child) that we are trying to protect had the intelligence to know its owner, handler and so on, would we not be able to protect it better? If a document “knew” or “sensed” that the person accessing it was not its creator or owner, it could refuse to open and disclose its contents or even refuse to travel (be transmitted).
Technologies such Information Rights Management (IRM) have attempted to embed information into a document about its creator, owner and users. Notwithstanding the hype with which these products were launched a few years back, IRM has not taken off in a big way. One reason is that these technologies have remained programmatic and not reached the realm of “intelligence”—the technology embeds some kind of tag on the document, but does not endow it with “intelligence.”
The approach to making information intelligent is becoming difficult, because we generally think about it after the fact. When document and data format standards were conceived, proposed, debated and designed, they did not contain provisions to embed intelligence in the documents or data. Doing that as a “bolt-on” addition results, at best, in only fixing tags or such other attributes that have gross limitations and fall woefully short of “intelligence.”
Documents need to have ownership, handling and other attributes embedded in them as they progress in their life cycle of being created, edited and passed on to others. When we send a document to another person today, we do not tell the document that it is being passed on to another person. In other words, we do not introduce the next handler to the document, as we would do to a dog. If we could instill that intelligence in the document before sending it off to the next person, the document would not “go” to any other person.
This idea may sound crazy. Does it sound like the analogy is being carried too far? Maybe, but it is a different way, and we need an alternate approach.
The way such a concept could be reality is as follows. When a person “A” creates a document, the document is embedded with the knowledge that A is its owner. Before sending the document to “B,” A introduces B to the document (in other words trains the document) and lets the document know that B has certain rights on the document. The document travels to B and lets B handle (read, edit, add, modify, etc.) it based on what it has been told (trained) (see figure 1).
If we look back, the early UNIX systems had the “rwx rwx rwx” bits along with the file that let the file know whether the owner, the group or the world had read, write or execute permissions on them. This concept seems to have become de-emphasized as we progressed to more user-friendly systems and increased focus on access control mechanisms that prevented people from getting to where the files were stored.
If, like a dog, our desktops and laptops know who is handling them by “intelligence” and not through programming, would not the whole security scenario undergo a positive metamorphosis?
Identity–The Key to Effective Security
Embedding intelligence into documents by itself cannot solve the information security issues. Even when documents and data stores have intelligence, they will need to recognize identities uniformly and consistently to be handled by the identities.
Essentially the linkage of intelligence is between the information and an identity. That brings us perhaps to the most important area in the subject of security—identity.
We began by equating identities with user IDs and associated passwords. Passwords got more complex and longer. User IDs are also seeing an evolution to more standardization; the e-mail ID is becoming the user ID for most popular applications such as social networking sites. However, in the enterprise, the employee number would be used as the standard user ID. The movement to a universal user ID for every human being appears to be in the realm of dreams today, but the beginnings of such an evolution are emerging. The subject is not without its perils though. Some countries have had unique identifiers for their citizens for a long time; some countries are beginning new ambitious projects to achieve the same (e.g., India’s UID project). Security concerns over the ID itself will come up, and they need solutions. There are apparently no issues with our names becoming public, but how public can one’s ID be?
The answers to these questions are buried deep inside the methods we use for authentication. Should identification and authentication remain distinct or merge? How much intelligence do our devices and applications have to recognize identities? I am sure this train of thought has run in others’ minds before as well, that is, when biometric recognition emerged. While fingerprint technology appears to have matured—most laptops come with fingerprint readers and access control systems using fingerprint-based technology— other forms of biometric recognition such as retina scans are yet to attain a level of maturity for wider adoption.
While we have evolved to two-factor authentication and are gloating over it, we realize that nature does identity recognition through multifactorial authentication—size, shape, features, touch, texture, voice, tone, smell and so on. These are not once done and set; they are updated constantly and synchronized through and during interactions, as all of these characteristics (factors) change with time and age. Nature, except in the case of humans, does not appear to differentiate between identification and authentication, it does both in one stroke with all the multifactors.
The potential for face and voice recognition is a powerful area that is yet to be well developed. With most laptops now equipped with built-in cameras and microphones discreetly positioned at the top of the LCD screens, face recognition can become a default with identification. With a combination of facial feature recognition and voice and fingerprint matching, identifying and authenticating a person should become a good solution, provided that these technology implementations reach high levels of reliability. The result could be that one sits in front of one’s laptop, looks at the camera, pats the laptop on the fingerprint sensor and says a few words of greetings to the laptop and is then logged in to the laptop and to any other web site or system that can take that authentication securely.
A new approach to information security in the two areas of imbibing documents or information stores with intelligence about their owners and handlers on an ongoing basis throughout their life cycle and a multifactor approach to identity management could make a very significant and effective change to the way we handle information security in the days to come.
S. Anantha Sayana, CISA, CISM, CIA
is head corporate IT at Larsen & Toubro India (www.larsentoubro.com). After working in information security and audit for more than 16 years, Sayana has been in an IT governance and leadership role over the last seven years. He was the founding secretary and a past president of the ISACA Mumbai (India) Chapter and a member of the CISA Test Enhancement Committee for three years. He also served as a contributing editor on the Journal’s editorial committee, writing the IT Audit Basics column for more than three years. He can be reached at anantha.sayana@ larsentoubro.com.
Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2010 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.