Its not cost effective (or realistic for that matter) to protect everything. Instead put your risk management chips on the assets you really need to protect - identity, transactions, and data in most cases. Dave Kilcullen blogs at Small Wars Journal on Two Schools of Classical CounterInsurgency contrasts two models in a way that is instructive to secuity architects
Discussion of the new Iraq strategy, and General Petraeus’s recent Congressional testimony have raised the somewhat obvious point that the word “counterinsurgency” means very different things to different people. So it may be worth sketching in brief outline the two basic philosophical approaches to counterinsurgency that developed over the 20th century (a period which I have written about elsewhere as "Classical Counterinsurgency"). These two contrasting schools of thought about counterinsurgency might be labeled as “enemy-centric” and “population-centric”.The enemy-centric approach basically understands counter-insurgency as a variant of conventional warfare. It sees counterinsurgency as a contest with an organized enemy, and believes that we must defeat that enemy as our primary task. There are many variants within this approach, including "soft line" and "hard line" approaches, kinetic and non-kinetic methods of defeating the enemy, decapitation versus marginalization strategies, and so on. Many of these strategic concepts are shared with the population-centric school of counterinsurgency, but the philosophy differs. In a nut-shell, it could be summarized as "first defeat the enemy, and all else will follow".
The population-centric approach understands counter-insurgency as fundamentally a control problem, or even an armed variant of government administration. It believes that establishing control over the population, and the environment (physical, human and informational) in which that population lives, is the essential task. Again, there are many variants within this approach, including some very hard-line methods and some softer approaches, but the underlying philosophy is "first control the population, and all else will follow".
...
As an example of the need to read the battle and adapt, I hope you will forgive a brief personal anecdote. In Timor in 1999 I worked closely with village elders in the border districts. I sat down with several of them one afternoon to discuss their perception of how the campaign was progressing, and they complained that the Australians weren't securing them in the fields and villages, that they felt unsafe because of the militia (the local term for cross-border guerrillas) and that we needed to do more to protect them. In actual fact, we were out in large numbers, securing the border against infiltration, patrolling by night, conducting 14 to 21-day patrols in the jungle to deny the militias a chance to build sanctuaries, and working in close in the villages to maintain popular support. There had not been a single successful attack by the insurgents on the population for more than two months. So, "objectively", they were secure. But -- and this is the critical point -- because our troops were sneaking around in the jungle and at night, staying out of the villagers' way and focusing on defeating enemy attempts to target the population, they did not see us about, and hence did not feel “subjectively” secure. This was exacerbated by the fact that they had just experienced a major psychological trauma (occupation, insurgency, mass destruction and international intervention) and as a society they needed time and support for a degree of "mental reconstruction". Based on their feedback (and that of lots of other meetings and observations) we changed our operational approach, became a bit more visible to the population and focused on giving them the feeling, as well as the reality, of safety. Once we did that, it was fine.
In other words, we had to shift from a more enemy-centric approach to a more population-centric approach to adjust to the developing situation. My personal lesson from this experience was that the correct approach is situation-dependent, and the situation changes over time. Therefore the key is to develop mechanisms that allow you to read the environment, to be agile and to adapt, as John Nagl showed so brilliantly in Learning to Eat Soup with a Knife.
So, in summary, two broad philosophical approaches in classical counterinsurgency (and remember it's classical 20th century counterinsurgency we're discussing here) -- population-centric, and enemy-centric. Both have merit, but the key is to first diagnose the environment, then design a tailor-made approach to counter the insurgency, and - most critically - have a system for generating continuous, real-time feedback from the environment that allows you to know what effect you are having, and adapt as needed.
These enemy-centric approach is very reminiscent of the firewall/dmz style of security architecture. In this enemy-centric approach we use firewalls to keep the bad guys "outside" and the good guys "inside" forgetting that the world is not neatly divided into good guys and bad guys. We may actually employ bad guys inside the firewall, for one thing. For another, who cares about dividing the world into good and bad, what we need to do is to protect our populace. In enterprise security our populace means our user's identity, the transactions and data. Message level security is one good way to do this, use WS-Security or SAML to protect the message, do not assume that you can rid the environment of malice. Protect your assets so they are operable in a malicious environment. Some examples of message level security in web services are here at the DHS Build Security In paper I wrote with Howard Lipson at CERT - Security Concepts, Challenges, and Design Considerations for Web Services Integration.
Its diseconomic to try and divide the whole world into good and bad (in consulting we call this boiling the ocean), instead focus on what you know - your users, your transactions, your data. If you have not read Dan Geer's Shrinking Perimeter this is a good time to do so -- trust but verify, y'all.
Comments