The Natural Order of Security
[originally published in 2007, this is one of my more popular and controversial posts]
All security technology adoption follows a predictable pattern. I believe that this pattern will reveal many exciting new benefits for the market.
The pattern has four parts: Authentication, Authorization, Administration, and Audit. The 4 A’s of Security.
Throughout history – and I’ve tested this across several centuries of historical records – societies, organizations, states, and even security programs in corporations follow (or establish) this same recurring pattern.
Optimal security adoption follows a natural pattern
People, organizations, governments, societies do not want security, they want the benefits of security. That is why throughout history, people have organized themselves for social benefit or for their own protection they take steps to secure themselves very naturally.
We are not them
They create a criterion by which they may distinguish “us” from “others.” Us from Them. Those people thus create an answer to the first question, “who are you?”
We do this, not that
The obvious next step is to set boundaries of behavior and property, since the group of “us” are agreeing to act a certain way, or treat ourselves a certain way, and live in a certain geography. We create boundaries (fences, walls, moats, gates, doors, firewalls) to allow the community of “us” to live undisturbed from those who would disrupt our life. This answers the second question, “What is expected of you?” or “What may you do?”
These are our protocols
When we define ourselves, or add new members, we naturally set up systems to administer changes. We may make laws or policies to govern ourselves and to regulate the definition and limits of exposure to others. All of this answers the third question, “How do we manage it?”
How is it working?
With people and contexts defined, protective controls in place, and policies outlined, the obvious fourth question is “What happened? Or What is happening?” We must know the answer to that question in order to understand whether our people and systems really are who they say they are, that they are doing what they ought to be doing, and that our laws and policies are working for the benefit of the group.
Start Over and Improve
Once we’ve answered the fourth question of what happened, we know how to improve the systems. We start over, improving or refining the contexts for identifying ourselves and others. We go from simply treating all of us as the same and all of the others as outsiders, to understanding that even among ourselves there are differences, and among outsiders there are levels of “other-ness.” So we improve identification and authentication with levels of passwords or secret handshakes. That causes use to refine and modify the authorization or perimeter controls, allowing outsiders to come in for trade or limited interactions, or alliances. Those actions of course cause us to revisit our policies and systems of administration – now much more complex than before.
And most important of all, we take stock once again, we audit how well, how efficiently and effectively our entire system works.
Then we start over again, improving, refining, redefining, and so forth. Who are you? What may you do? How do I manage it? And What happened? These four questions drive the regular, natural, and predictable pattern of all security adoption. Repeatedly. Predictably.