As the Balance of Security Controls Shift, Where Does Responsibility Rest?


Posted on by Kathleen Moriarty

We are in the midst of a volley of "tussles" on security control points and surveillance/privacy protections. If you are unfamiliar with the term tussle, it refers to a paper by David Clark, et. al. that describes the evolving dance between technology and policy. Tussles surrounding privacy and surveillance arise every so often, sometimes including a rebalance of the ownership or access to metadata.

The current set of tussles involves a push and pull from industry, standards, and policy with the debate remaining open as to how it will all settle out. As encryption becomes stronger and more pervasive on the Internet to protect our sessions while in transit, the ability to use traditional tools to detect malicious traffic has and will continue to diminish. At the same time, strong encryption that cannot be intercepted is promoted as part of a zero-trust architecture and is important to adopt to prevent lateral movement. Another argument in favor of strong encryption is that it prevents having points of aggregation where all traffic is visible (e.g. intrusion prevention systems holding a shared key to access and view all data).

In the recent volley, the dance includes:

This tussle is a very interesting one, shaping significant changes on the Internet in terms of how we as an industry ensure the security of sessions, data, and endpoints. The distributed nature of the Internet along with the multi-stakeholder governance model allows for and encourages these debates. The debates typically settle out with slight differences when national laws are considered due to the slight differences in historical cultural norms between nations that we may consider similar in many regards.

In some cases, it is difficult to see through the trees when we are in the midst of change. How security is integrated into products, services, and the network itself is transforming at a rapid pace. This means that security controls will settle out differently in terms of placement and responsibility than they may have in the past. Ideally, we wind up with a more secure, resilient, and easier to manage infrastructure as we work through these tussles. There are methods to provide security in these new models, and they may even provide improvements from the current state where security is not only built-in by design and by default but also managed on a scale.1

In terms of how the controls settle out, there is another important consideration, how does the responsibility balance shift with intrinsic changes to points in visibility?

___________________

[1] Transforming Information Security. K Moriarty. Emerald Publishing Ltd. 2020.

Several considerations were raised in this blog on the changes specific to ECH and summarized, those include:

  • As controls managed by the organization are eliminated (e.g. intrusion detection/prevention systems), does the responsibility to protect data and systems shift away from the enterprise? Is the browser then liable; Is the CDN liable?
  • Are enterprises still responsible for security breaches when they have little ability to intercept and prevent them?
  • Are regulatory requirements required to shift the responsibility when control points shift-left or change?
  • Does this shift-left further motivate application providers, CDNs, and browser vendors to build secure code and ensure memory safety?

Additional questions should be considered as the tussle begins to take shape as it is too early to tell what will happen with the proposal to the eIDAS. If that dance settles out as recommended in the referenced letter, a shift in balances will not occur at this time, as some technical adjustments will aid in the aims of the policy objectives, where parties work collectively.

Blog reviewers:

Sean Turner

Bret Jordan


Contributors
Kathleen Moriarty

Technology Strategist, Board Advisor, and Consultant,

Protecting Data & the Supply Chain Ecosystem

privacy policy management standards & frameworks technology sovereignty security analytics operational technology (OT Security) zero trust authentication Consumer Identity

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs