Wandering Thoughts archives

In security, you need to stop the root mistake

Here is something that I have become more and more convinced of: if you want to actually solve a security problem, you need to stop the root mistake.

Many security problems have various surface issues that you can target, and then they have one (or more) root mistakes. It is tempting and easy to target surface issues, but if you do so you are not really solving the problem; you are simply causing the attackers to find another way to create the circumstances where the root mistake will be committed again.

As an example, let us consider phishing. In phishing, the root mistake is entering your username and password into the wrong site. However, there is a long history of anti-phishing precautions that try to get people not to go to the wrong site (persuasion, blocking access to bad sites, blocking ways of directly linking to sites, etc etc). Since these solutions are only targeting the surface issue, they have predictably failed any time attackers can figure out a new way to slide past the precautions.

So, to really fix the security problem you need to target the root mistake, and ideally make it not just more difficult but outright impossible to make that root mistake.

(If you merely make the root mistake more difficult, it just lowers the frequency of the security problem. And even that's not a sure thing.)

Universities are open environments

One of the things that's led to the university Internet environment changing (per an earlier entry) is that universities are open environments in general and especially in terms of services. In this they are fundamentally different from companies, which can be much more closed and closeted environments.

I think that there's three reasons for this. First, there is a much different relationship between many people at the university and the university. In a company, everyone 'at' or 'in' the company is working for the company, but in a university the majority of the user base is effectively customers, and this creates significantly different expectations.

Second, one way that these expectations manifest is that a company has much more scope to plead security and secrecy in order to keep services inside its walls. In a company you can assert with a straight face that you have privacy concerns in putting company email on some outside provider. In a university, the students will say 'so what? I don't care'. And in general I think that there is more acceptance of secrecy and security as valid concerns at a company than at a university; at a company they are defaults, while at a university there is at least a theory of transparency and operating in the open.

Finally and I think significantly, universities are open in good part because people are flowing through them all the time. Every year N people show up and N people leave, more or less, and at least in theory these people should be significant users of your services. This constant and significant flow works to destroy any insularity and ignorance about the outside world's progress that might build up in general, and when combined with the relation between students and university creates an environment where you are constantly justifying your services to the next generation of arrivals (whether or not you realize it).

(This degree of turnover is also another strike against claims of secrecy and security. As I've said before, at a university you have to assume that there are plenty of evil people already inside your organization.)

Or in short: the university is open because people keep walking through, bringing in knowledge of the outside (and leaving with knowledge of the university).

For universities, the Internet world has fundamentally changed

Once upon a time, the Internet was just something that you used to communicate with other universities (and companies). One consequence of this was that the university needed to provide everything for its own people; all of the services they needed needed to come from the university.

This is no longer the case for universities. Increasingly, people no longer want you to be their service provider (partly because they already have their own), and on top of that other people can do bits of it better than you can (consider Google Mail versus your typical university webmail interface).

This is a major, wrenching change in how you think about providing services, and part of what makes it wrenching is that expectations have to be changed too. To put it bluntly, you can't be held responsible for the service being available, because there will be times that the service is unavailable or broken for reasons that are completely beyond your control.

This is, I think, not a trivial thing. 'Responsibility' is burned very deeply into organizations; it's in people's attitudes towards their jobs, in mission statements and organizational descriptions, and in expectations by higher administration. Letting go is hard, because it is such a fundamental change; you stop being responsible for user email, for example, and instead become 'responsible' merely for making the best choice of outside provider (or running it yourself, but let's be honest here, Google is better if you can use it).

(This assumes that you do just become responsible for picking the best outside provider. If in practice you will be held responsible if something unforeseeable goes horribly wrong with the outside provider, then the sensible and predictable managerial response is to keep doing as much in house as possible.)

PS: application to the general university tension between locally provided services and centrally provided services is left as an exercise for the reader.