K.I.S.S. the castle (analogy) good-bye! Okay, done - now what?

Thomas Raschke

Think for a moment about the very simple, used-to-death castle analogy with its walls, gates, guns, guards, etc. and how these parts related to early network security. The analogy certainly had its shortcomings already back then – but it nevertheless got popular because of its inherent simplicity.

In today’s complex data and identity driven world of security and risk management, the old castle simply doesn’t cut it any longer. Just think of examples like the skyrocketing amount of data “crown jewels” all over the place (not just in the tower), the almost constant transport of these assets to places in and mostly outside of the castle, and the fact that insiders/peasants pose a much bigger risk than external attackers. Also, there is not just one king today, everybody has something protect-worthy (data, identities, etc.) and the same person can in fact have multiple identities. Sure, you can add bits and pieces into the old castle metaphor, but it quickly becomes too complex and therefore useless as an analogy.

So, while most members of the security academia have given up on the castle some time ago, the question is: Can we provide a simple, yet somewhat holistic concept of modern security and risk management?

Fact is, that we as security professionals struggle to explain to non-security folks what it is we are doing and why we are doing what we are doing. A bit of insurance talk, a sprinkle of metrics, lots of tech explanations, and certainly a huge portion of scare tactics are still our most often applied tools. But we all know – and experience on a daily basis – that we are not making ourselves clear to LOB managers, executives, and other non-technical people.

So, is there a single, all encompassing metaphor any longer? Or will we inevitably end up comparing the complexity of today’s security and risk landscape to, well the “real” world? But then again, wouldn’t that ‘metaphor’ fall short of the main reason for why we use analogies – namely simplification? Hence, wouldn’t that be utterly useless?

Or, instead of trying to construct a next-gen analogy, do we simply have to become better at articulating ourselves? Are a non-tech language, simple words, and context going to be enough to get our message across? Or should partial analogies be thrown into our new communication mix? Or does everything ultimately boil down to K.I.S.S.?



re: K.I.S.S. the castle (analogy) good-bye! Okay, done - now wh

That's easy. In particular, the analogy of armoured vehicles seems to go down well with brass (civil): 'Expendible' and necessarily agile reconnaissance is done with lightly armoured vehicles, something serious like a gun is transported in a main battle tank. Regular troops are somewhere in between. If the executives (n-star, far away at the backoffice back home) don't do risk management well enough, roadside bombs will get the better of the troops...

re: K.I.S.S. the castle (analogy) good-bye! Okay, done - now wh

I think data-centric security is in the way and end-to-end as well.End-to-end pass through using only REAL secure devices/gadgets (e.g. umpc's with vista - which allows for UC, bitlocker and mobility/remote work - and vista based thin clients/terminal servers) because all those would allow for biometrics monitoring along user sessions; if an user 'goes away', session might be locked. IPsec/ssl comm. for all access (here TS 2k8 comes to help). Biometrics continuos monitoring might count on devices' cpu power potential. AND, of course, device lockdown (no pen drives, dvds etc), internet white-listing and general-internet-access stations segregation (desktop VMs come in help here, separate 'machines' for research/interaction and 'work').