Finding Your Model

Oct. 27, 2008

Being in the security business provides you an interesting view of the world. Recently, my wife purchased a piece of art for a bathroom we remodeled. It was a reproduction of a 16th century van Utens painting of the Villa Marignolle, a country manor outside Florence built for the Medicis. As I gaze at the beautiful painting, I realize it is actually a design plan and a model representation of the physical security attributes of the famous estate.

The painting clearly shows the outside perimeter of the property that includes a large gate set into a high protective fence. An access road runs along the outside of the property to provide controlled access to outbuildings for tradesmen and deliveries. A stone enclosure surrounds an inner courtyard near the house so children in-residence can be monitored from the house proper. Decorative iron grates shield windows on the ground floor.

I shared my observations with my wife, who immediately labeled me a lousy art critic. I explained that the note that came with the painting stated it was originally commissioned by the family to help them envision the completed structure and design for the surrounding gardens. The Flemish painter was going by the descriptions of the architect, the brilliant engineer and artist Bernardo Buontalenti, to render the home before it was completed. It was obvious the issue of security was central to planning the estate for this wealthy and powerful family.

Throughout recorded history, the most effective model for planning and implementing physical security has been some form of representation of the property-a blueprint or even a scale model. I've read about a beautiful model of China's Forbidden City that was used by the former emperor's security detail to assign posts to guards. By using these models, architects, designers and security professionals are able to look for potential vulnerabilities and plan appropriate security safeguards.

Architects and engineers still use models today. Take a look at the myriad changes taking place on the Mall in Washington, DC and around the White House. You can bet the engineers are using blueprints that were drafted with security as a primary component.

Other security disciplines require the use of models as well, although they may not be blueprints or 1/32 scale buildings. For example, those of you who work in personnel security also apply a model-I call it the trust model-whereby you seek to ascertain a person's level of trust. Security is not an either/or proposition, it is a matter of degree. The same is true for the trust model in personnel security. The amount of trust an organization places in someone is plotted along a scale whose endpoints are "absolutely" and "not at all." The nature of the organization's information and mission, as well as the individual's role within the organization, will help set the required standard.

When I was selected as a military officer to work at one of those three-letter agencies near Washington, DC, the first hurdle I needed to surmount involved personnel security. Because of the nature of the work, this organization treated personnel security very seriously, and the trust model trended toward the absolute end of the scale.

As part of the process, I was sent to a motel in a town two hours away to meet a military polygrapher and an agency security agent in a cheap suit. As part of its trust model, the agency wanted to help me remain free of the threat of blackmail by ensuring any secrets or closeted skeletons were exposed.

During the torturous daylong event, I was queried about a wide variety of lifestyle issues. At one point I was asked if I had ever forged a government document. When I answered in the affirmative, I saw the tester's eyes shoot up, and he immediately turned off the equipment and disconnected the sensors from my chest and fingers. The security agent reached to turn on a camera to tape the discussion I knew would be required. The obvious questions followed: What had I forged? When had I forged it? Who knew about it? What was I trying to do? I explained that it was common practice in the military in the age of the Selectric III™ typewriter to make random errors in performance reports. If the author or endorser of one of these faulty reports had already been reassigned, it was often necessary to copy his or her signature to a corrected copy. We usually asked the departing supervisor to sign a couple of blank forms, but occasionally it was necessary to forge a signature in order to ensure a performance appraisal was submitted in a timely manner.

I saw the polygrapher and the agent exchange a weary glance. They told me that was no big deal, and not what they were looking for. The camera was shut off. I sighed in relief, and the polygrapher proceeded to lash me up to the sensors so we could continue.

The questioning went on for several hours with pauses at least three more times as I answered a question truthfully only to have the testing stopped, and the filming begin again. After it was finally over and I was emotionally and physically exhausted, the polygrapher looked at me and said he would bet a month's pay that when I was a kid my Mom would just haul off and slap me when I would try to lie. I told him he would win that bet. He told me I was such a lousy liar, he didn't even need the equipment.

The trust model I lived within while I was employed there also meant the agency needed to know where I went, and they needed to know about anyone I met who may be a potential enemy or a spy. The severe trust model they employed was considered necessary to protect their sensitive information and critical assets.

When security professionals wrestle with information technology security, the models become a little harder to define. What does it mean for a computer system to be secure? Can information be secure? How would you define information security, and how can you measure it? For years, the federal government wrestled with this dilemma.

The result of the government efforts was a series of books that outlined the technical requirements for enforcing security controls. It began with a complex matrix model designed to describe all possible relationships between users and data. Because the criteria were originally developed when barn-sized mainframes were leading edge, it became necessary to publish more interpretive criteria for emerging technologies like networks and large-scale databases. Ultimately, the criteria became known as the Rainbow Series (for the array of colorful covers), and it required four feet of shelf space to accommodate the entire set. The series became obsolete as technology continued to evolve, and it became impractical if not impossible to continue to write new criteria for all the products, protocols and systems being developed and deployed.

The problem with a technical model approach lies in establishing models that are tied to the technology. When you base your model on the products and tools used to transmit, store and process the information, you need to change it every time any of them changes. For example, if you define how a specific protocol needs to be configured to be secure, you will need to update those security criteria every time the protocol changes.

The same problem exists for what is known as best practices. Best practices are usually codified as a set of tools and configurations deemed to provide adequate security for a "common" technology environment. Best practices also have the added challenge of defining what adequate security is without any consideration for the sensitivity of the information and/or the threat environment of the IT system.

A more effective model for information security is to define the security attributes of the information itself and to apply the security safeguards as the information passes through the primary states of transmission, storage and processing. The classic security attributes of confidentiality, integrity and availability provide a comprehensive structure to map your security requirements based on the context of the threat environment and the relative value the organization places on its information resources.

Taking this higher-level approach allows you create a model that will provide an effective security plan even as technology and your IT environment evolves. The nearly 500-year-old van Utens painting of the Villa Marignolle has evolved from a simple model to classic art. It's time we developed information security models that can also withstand the test of time.

John McCumber is an IT security professional and the author of Assessing and Managing Security Risk in IT Systems: A Structured Methodology from Auerbach Publications. He can be reached at [email protected].

About the Author

John McCumber

John McCumber is a security and risk professional, and author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, e-mail [email protected].