Home > Authentication, Identity & Access Management, Peak Performance > The Natural Order of Security

The Natural Order of Security

[originally published in 2007, this is one of my more popular and controversial posts]

All security technology adoption follows a predictable pattern. I believe that this pattern will reveal many exciting new benefits for the market.

The pattern has four parts: Authentication, Authorization, Administration, and Audit. The 4 A’s of Security.

Throughout history – and I’ve tested this across several centuries of historical records – societies, organizations, states, and even security programs in corporations follow (or establish) this same recurring pattern.

Optimal security adoption follows a natural pattern
People, organizations, governments, societies do not want security, they want the benefits of security. That is why throughout history, people have organized themselves for social benefit or for their own protection they take steps to secure themselves very naturally.

We are not them
They create a criterion by which they may distinguish “us” from “others.” Us from Them. Those people thus create an answer to the first question, “who are you?”

We do this, not that
The obvious next step is to set boundaries of behavior and property, since the group of “us” are agreeing to act a certain way, or treat ourselves a certain way, and live in a certain geography. We create boundaries (fences, walls, moats, gates, doors, firewalls) to allow the community of “us” to live undisturbed from those who would disrupt our life. This answers the second question, “What is expected of you?” or “What may you do?”

These are our protocols
When we define ourselves, or add new members, we naturally set up systems to administer changes. We may make laws or policies to govern ourselves and to regulate the definition and limits of exposure to others. All of this answers the third question, “How do we manage it?”

How is it working?
With people and contexts defined, protective controls in place, and policies outlined, the obvious fourth question is “What happened? Or What is happening?” We must know the answer to that question in order to understand whether our people and systems really are who they say they are, that they are doing what they ought to be doing, and that our laws and policies are working for the benefit of the group.

Start Over and Improve
Once we’ve answered the fourth question of what happened, we know how to improve the systems. We start over, improving or refining the contexts for identifying ourselves and others. We go from simply treating all of us as the same and all of the others as outsiders, to understanding that even among ourselves there are differences, and among outsiders there are levels of “other-ness.” So we improve identification and authentication with levels of passwords or secret handshakes. That causes use to refine and modify the authorization or perimeter controls, allowing outsiders to come in for trade or limited interactions, or alliances. Those actions of course cause us to revisit our policies and systems of administration – now much more complex than before.

And most important of all, we take stock once again, we audit how well, how efficiently and effectively our entire system works.

Then we start over again, improving, refining, redefining, and so forth. Who are you? What may you do? How do I manage it? And What happened? These four questions drive the regular, natural, and predictable pattern of all security adoption. Repeatedly. Predictably.

  1. Anonymous
    January 27, 2007 at 11:35 am

    In the post about the natural order of security you’ve described the “concept of self”. This is indeed an important part of how societies maintain order. An orderly society requires that individuals identify others as part of their concept of self. People who identify themselves with the rest of the society will give their lives in times of war to protect and continue the society. In this society the word selfish is a pejorative while the word selfless is a complement. A common goal of all security systems is to protect “us” from “them”.
    Throughout history geography has been a large part of distinguishing “us” from “them”. Identity is learned early in life and is almost wholly dependent on what is taught as the Truth. When you could just put a wall around the city and keep out all outside influences children grew up learning only about “us” and came to identify with “us”. Adults who didn’t follow the rules were labeled as criminals and punished. People who acted against the good of the society were labeled traitors and executed.
    Those simple days are gone forever. Security can no longer be based on geography. Airplanes can fly over any wall while the web comes in under (subverts?) the wall. In this new world of free information from everywhere we have people growing up as neighbors, but with wildly differing understandings of how they fit in society. Birth certificates are of little use to distinguish us from them. Since no conceivable security system can see into people’s minds we now have to use behavior to distinguish between the good guys and the bad guys. That’s why Homeland Security wants to see into our travel history and banking activity. That’s why yours truly spent the last year of the last century creating a security system based on “behavior recognition”.
    This is a good topic for Security Dreaming. How do we protect us from them if we don’t know who’s who?
    The concept of self is a field of study far beyond the scope of dreaming about better security. See http://www-psych.stanford.edu/~hmarkus/articles/culture_self.pdf for more (a lot more) on the topic.
    Maurice Garoutte

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: