| By Mark O'Neill | Article Rating: |
|
| October 9, 2009 12:00 PM EDT | Reads: |
332 |
I saw this tweet this morning and I thought "+1" (I guess I am a geek if I am thinking in Digg/Slashdot shorthand).

The problem is that in Information Security, "security" is all-too-often used to mean only encryption. A line is considered "secure" if it's encrypted. But often, the real "security" requirements are much broader and include management (as in access management, identity management), business continuity defense against denial-of-service, and privacy.
I think language is a big issue here. I've always found it interesting that in German, the words for "security" and "certainty" (sicherheit, literally "sureness") are the same. In French, the words for "safety" and "security" are also the same (sûreté, again literally "sureness"). So, in those languages, "security" has a broad definition, incorporating senses of dependability, management, and safety. I can see how the French and German words fit with the broad information security concepts of business continuity, "management" (access management, identity management), and "safety" that users (and their data) will be protected. But the English language word "security" lets us down.
I read something similar in the BBC's "Letter from Europe" column a few years ago:
A friend and colleague who is annoyingly fluent in half a dozen languages notices the growth of something he calls "Brussels English". One example he gives is the persistent use of "security" to mean "safety", perhaps because in French and German they are the same word. This habit has evidently spread to England too. He cites an example at Waterloo Station, which requests that people put their hot drinks down while going through the ticket barrier "for their own security". But surely it is their safety, not security, that is at risk?
But that sets me musing on whether this is a reaction to a rather modern use of the word "security" in English. When did it first acquire its current meaning in English? Wartime? When did "security guards" first enter the language?
http://news.bbc.co.uk/2/hi/europe/4601722.stm
In infosec, I think that the meaning of security as "encryption" entered the language when Bruce Schneier wrote "Applied Cryptography". Also, although undoubtedly useful, SSL and the little padlocks in browsers are partly to blame because they give the impression a site is "secure" just because SSL is used. This carried over to Web Services where people, of course, thought "of course it's secure if we use SSL". And now Cloud Computing. Just last week I had to answer a question of "We are planning to use SSL for our Cloud-based PaaS services, people will be sending in their API keys over SSL, so that means it's fully secure, right?".
Since "Applied Cryptography", Bruce Schneier has since spoken on this topic. He had a memorable talk at RSA 2006 entitled "Why security has so little to do with security". He has spoken on how "security=encryption" is literally a "false sense of security". It is the word "security" used in the wrong sense.
At Vordel, the security we provide goes much beyond cryptography, into the areas of management (access control, reporting on traffic), availability and dependability (monitoring service level agreements), and safety (ensuring data is protected). By having governance in place for Cloud resources, you have more safety and security. We also include testing tools and performance acceleration and offload to provide the sureness that a service will not go down. That encompasses the broader French and German meanings of "security" to include "safety" and "sureness", not just the more narrow English language usage in Infosec to mean "encryption".
This is the reason why I 100% agree with incorporating "safety" into the meaning of "security", as Jill Tummler Singer, Deputy CIO of CIA, did in her keynotes at GovIT Expo . In this way, we can do more justice to security in general and Cloud Security in particular.
As an interesting footnote, I blogged about this before and Gunnar commented that "According to Robert Morris Sr.'s talk at DefCon last summer the word security is derived from a Greek word meaning "carelessness". That is funny, considering how often security is implemented carelessly. But, thinking about it, I can understand that if you have security (and safety) in place, then you have "less cares", so you are "careless" in that sense.
Read the original blog entry...
Published October 9, 2009 Reads 332
Copyright © 2009 SYS-CON Media, Inc. — All Rights Reserved.
Syndicated stories and blog feeds, all rights reserved by the author.
More Stories By Mark O'Neill
Mark O'Neill is Chief Technology Office of Vordel. Vordel connects applications to applications, businesses to other businesses, and SOA to the Cloud.
A regular speaker at industry conferences, Mark holds a degree in mathematics and psychology from Trinity College Dublin and graduate qualifications in neural network programming from Oxford University.
- The Top 150 Players in Cloud Computing
- Cloud CEOs, CTOs & SVPs to Speak at 4th International Cloud Computing Expo
- 4th International Cloud Computing Expo: Themes & Topics
- Exclusive Q&A with Rich Marcello - Unisys President, Systems & Technology
- SOA World Power Panel on SYS-CON.TV
- 1st Annual GovIT Expo: Letter from the Technical Chair
- Deputy CIO of the CIA to Keynote 1st Annual GovIT Expo
- CIA was Headed to an Enterprise Cloud All Along: Jill Tummler Singer
- Cars.com Highlights Great Deals for Cash for Clunkers Shoppers
- US Post Office Hops a Ride on NetSuite’s Cloud
- The Top 150 Players in Cloud Computing
- SYS-CON Announces Government IT Conference & Expo
- Sun Federal's Dr Harry Foxwell to Speak at 1st Annual GovIT Expo
- 1st Annual Government IT Expo: Call for Papers Deadline July 15
- Cloud CEOs, CTOs & SVPs to Speak at 4th International Cloud Computing Expo
- 4th International Cloud Computing Expo: Themes & Topics
- SYS-CON.TV: Cloud Computing Expo Power Panel
- Exclusive Q&A with Rich Marcello - Unisys President, Systems & Technology
- SOA World Power Panel on SYS-CON.TV
- SOA & Cloud Computing To Intersect This Week at SOA World
- The Top 150 Players in Cloud Computing
- AJAX Technology Company JackBe Receives $6.5 Million Funding
- Microsoft Disowns "EC-Designed" Windows
- Is Teradici's PC-Over-IP The Next Big Thing?
- Texas DIR Awards IBM a Contract for State Data Center Services That Offers Significant Benefits to the State
- Sun Microsystems Powers Belgian E-Government Electronic Identity Card Program
- SYS-CON Announces Government IT Conference & Expo
- Active Endpoints Named "Silver Sponsor" of SYS-CON's SOA World and Virtualization Conference & Expo
- Sun Federal's Dr Harry Foxwell to Speak at 1st Annual GovIT Expo
- Google, Microsoft, Intel, HP, & Dell Seek FCC's Green Light for Wi-Fi 2.0


































