« In Tulsa I Will Find My Way
My Reason For Reason »

The first piece of assigned reading in my graduate studies is a paper by Maconachy (et als) entitled “A Model for Information Assurance: An Integrated Approach”. It is the first of many I plan to be reading for the Enterprise Security Management class, which is a broadly scoped class dealing with security and policy from a managerial point of view. This latest sweep of courses follows the Information Assurance (IA) standard that is torching older concepts of computer and data security.

By and large, the paper is extremely simple (and quite short), but I’m not really aware of how influential this paper has been over the years. It was written in 2001, and I have been told that it’s the seminal piece of this entire movement…but that’s really hard for me to believe. Especially since the McCumber INFOSEC Model (the McCumber Cube) was published in 1991, and this paper basically just tosses that model into a “fourth dimension” and expands, a little ridiculously, the characteristics part of the model.

The contributions that I see to the model’s data characteristics are trivial distinctions in the terminology.  The new Information Assurance Model (a.k.a. McCumber Cube 2.0) merely splits the three Information Characteristics into five Security Services. Their main contention with the earlier work, I infer, was that the loose definition of data integrity was insufficient to outline what was really needed. Their addition of Authentication and Non-Repudiation may have merit, as Integrity of data is commonly used to measure immutability and structural continuity, but I don’t see it as necessary for those with a background in data integrity. I guess if everyone is reading something, it’s probably good that  CIO’s to hackers probably need to see the distinction between the data integrity itself and the integrity of the source and the retrieval process.

Regarding my statement on, and obnoxious quotation of, their “fourth dimension”, this paper added the additional, singularly organic concept of Time to this idea. Where most previous outlines have neglected this concept, I do see the point they make with the steady changes over time. My experience in this area isn’t immense so I don’t know if they’re singularly responsible for this idea, but the modeling of that idea is actually quite sound.

For me, this concept of adapting security over time is a lot like dropping a 12 gallon, cube-shaped water mass (in honor of McCumber) into an 8 gallon bucket with a hole in it. If you figure the water is about 6 feet up then there are a few reasons why a lot of the water isn’t going to make it into the bucket to begin with: it’s just not a perfect match. When it does hit the bucket there’s going to be a pretty large splash, and a lot of what was put in place will be thrown out right away. The last few phases are a sort of balancing until the surface water is still. Unfortunately, still water is the worst place to be and you’re never going to have a completely full bucket unless you’re measuring and adding slowly until you’ve balanced the flow of water coming in and the water draining out of that hole. This image is simplified, but it’s pretty apt.

It is important for me to point out that any negative perspective I have regarding this paper may not be for any other reason than because a perfect, albeit figurative, cube was converted into an elongated box which poses as a cube.  I’ve been known to commit worse acts of hostility, but I’m just all about cube-equality.

The biggest point that I share with people is that technology is the cutting edge, and the very tip of that edge is security. This is becoming validated on an ever increasing increment with the growth of cloud computing and high-availability, online systems. Not only do IA standards address this, but they also encourage the constant measurement and addition of water. Google, Amazon, and all the other big players need to have this technology and need to assess it with respect to time and progress. While this paper did bring out those concepts, I don’t know how much this was solidified beyond existing standards. But I’m not too worried about Google missing the boat on this.

The entire movement to IA is quite interesting to me, and I’m looking forward to getting more exposure in the coming months. Most of my closest colleagues know that I’m much more interested in policy than your normal CS-geek. Actually, I’m fully cognizant of the fact that policy makers hold all of the power and still get to see a lot of the fun. My ideal job would be working for a leading, technology-driven agency and pioneering/expanding policy while getting to sit in on disciplinary and review committees to observe impacts of changes being made. At least that’s what I see right now; this ESM class will probably make or break it for me.

Posted on August 26th, 2008 | filed under academia, security | Trackback |

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>