Legal Business Analysis

Winona Savings Bank vault door – secure! (c) Wikimedia, Wikipedia

What is security?

It’s all about people. And it’s all about authorisation and possession. It’s the implementation of compliance rules. And it’s not ‘about’ technology.

Frequently, ‘security’ is the thing that you grudgingly authenticate against as you use the document management system, or as you log into your systems from home.

Security is the block in place that slows you down and makes every job that little bit harder.

I mean – we all know security is important, but it’d be great if there was just a little bit less, or at least, couldn’t it apply to others who aren’t as trustworthy as me?

Security, I mean, it’s important enough that we’ve got a guy who does security. I mean, that’s his job, yeah? I think he sits in IT somewhere, and runs a training class for all new joiners to talk about security stuff and hand out keyfobs and password guidelines.

To be honest, security kinda gets in my way, right, when I try to do stuff. It’s like the opposite of making things easy!

This is common – security is a technology, a system. It’s the good-cop, bad-cop routine where usability is the good cop, trying to help you, and security is the bad cop, always trying to catch you out and trap you and making your life hard.

Let’s take a step back: these things are all manifestations of particular security solutions, but what’s security itself?

And how does it relate to usability, risk and compliance?

Thinking back to old-style security, like bank vaults: these exist to protect physical objects (like gold, money or precious stones) that could be stolen – removed from their location and taken by unauthorised people called thieves. You knew if your security had been broken because your physical objects would disappear!

How very 20th century!

The key point: your objects are now in the possession of someone who was unauthorised.

The majority of things that we secure nowadays are not physical – they are digital, virtual. If they are stolen, there may be no trace. A copy has been made, somewhere, by someone. But they are now in the hands of someone who is unauthorised.

So: Security is defining authorisation, and putting in place protection against unauthorised possession.

Information is power. Information in the wrong hands is what you are trying to protect against – and the ‘wrong hands’ might be someone at the desk next to you, or down the corridor; your secretary, or your spouse.

Here’s where security and compliance overlap:

• Compliance are the authorisation rules you promise to follow
• Security are the tools we use to implement these compliance rules
• “Risk” is (in this case) the measure of the difference between ideal compliance, and the practical implementation

Notice that usabilty isn’t mentioned here – usabilty is a factor of well-designed software. Poor usability generally leads to poor security, as people work around systems rather than comply. This means good security relies on good usability, and vice versa. But security should not prevent good usability. Bad design limits usability.

So, security is helping you to keep your promises about compliance. You made these promises several times – in your employment contract, in your engagement letter to your clients (you are writing engagement letters, in compliance with 35.2 in the SRA regulations, aren’t you?), and in the rule of law of the country you live in (e.g. Data Protection Act).

So how do you (quickly, effectively) define security for a process or a system? It’s all about roles and responsibility.

• Who should be permitted to access this information or function?
• Who should NOT be permitted?

That’s how you define it – but watch out!

• Security is all about roles and authorisation based on identify – so thieves are looking to steal your identity first!
• Stealing something that’s not obviously important is the easiest first step: a thief doesn’t go directly to the bank vault doors – they steal the keys to the security guard’s house first. Once they have the guard’s housekeys, they can steal their identity badge, uniform, and (eventually) the bank vault access codes. It all starts with the smallest information.

So security is there to protect you, and your clients, and represents the promises you made. The small, simple things are the cracks in the wall that let thieves get a foot in the door, and they’re smart and persistent. Be paranoid, and be compliant.

And remember: It’s not a technology question. Most security technology is unbreakable – except for the weakest point: YOU!