Wednesday, July 11, 2007

Security and Trust

Chris Brogan and I have had a few discussions on security and one of our recent discussions inspired this post:

One of my many hats is that of a security "expert". A lot of times security comes across looking like the bad guy. They are the ones who shut you down, tell you no, and throw a pile of requirements at you. Even when they talk about security it often seems completely irrelevant or like some corny version of Reefer Madness. Even I often come out with a line like:
"Security is about confidentiality, availability and integrity (CAI)". That's nice Goldie, but what do I care.

All the security books will give you some version of the CAI definition. It is a nice way to break things down - but what security is really about is trust - how we define it, how we build it, and how we ensure it.

In that sense security is about us, and as much as applications need to provide some fundamental security it also relies on us.

Confidentiality - What a dry word with so much potential. Usually this word reminds one of secrets, and, with much of computer security's origins being from the military it often is about making sure secrets are kept, and only "people that need to know know". How relevant is that in a Web 2.0 world where we twitter like no one is watching?

But wait, if you look at the word, it is related to the word "Confidence". Confidentiality relates to confidence. Even as we share we take others into confidence in some matters that we would not share with others. We want and trust that information that is intended for one person goes to that person, and not to another. We rely on the programs to ensure that the messages go to their intended place, and we rely on the person to ensure that they are the ones who will read and reply to these messages.

Availability - Well availability is a snap to see why that matters. Anyone who has dealt with their favorite online application's down time - or seen too many LOLcats knows how critical availability is. Depending on how critical a service is, if it cannot be available reliably we cannot trust it to perform its function.

Integrity - Even if a bit stuffy, this word is a bit easier to relate to, and perhaps the most critical component of social networks. Integrity is often about data - the asset server that doesn't lose our inventory, or the mail that doesn't become corrupt. But integrity is also about communications.

It can be the simple fact that my words don't change on this page unless I edit them. It also is the ability to trust that someone else cannot post words for me, or that the words that I hear from a person came from that person.

We rely on the integrity of the system to present our identities. But at the same time the system relies on us to identify ourselves, and we are part of the system of integrity. Without integrity fast communication would happen but the bonds of connection that we develop would not - because integrity is necessary for trust.

There are many features that people identify as web 2.0 but what strikes me as being the most prominent is the element of connection. Whether through tagging & linking or through twittering & sharing data more and more web 2.0 is about the connections we make. These connections are built on trust, and that trust is built on a non-tangible platform where the assurances of identity come from digital marks that are protected through confidentiality, availability and integrity - both the systems and ours.

No comments: