Situated Enterprise Security

Published: 30 Dec 2014

I’ve been asked about the Sony break in a couple times now

It was an unsophisticated attack by modern standards. The primary damage is in two areas: revealing embarrassing emails and disclosing employee information; both will prompt extensive lawsuits. Though a few movies were stolen, no real damage was done of the kind that we have seen elsewhere. North Korea is responsible for the latter action, but the original incursion was long before the offending movie was announced, and access sold to North Korea from a different state sponsored cyberwar group.

Many similar, deeper incursions by several bad actors are certainly setting the stage for other disruptions in every corporation and many agencies. We are in a very unsettling situation that to my mind is in the same ordinal class as human instigated climate change, a coming water crisis and an inevitable pandemic. A reason is that such cyberacts are easy to execute, difficult and expensive to counter and the results can be devastating. You don't want to know.

Reasonably enough, the enterprise focus has been on making break ins harder.

An Analogy

Suppose you are a homeowner with a lot of valuable things in your house. You live in a bad neighborhood and you expect people to try to steal your stuff. You can make it hard to get into your house, bolt things down and install an alarm system. You could also support policies that imprison millions of petty crooks on the theory that it reduces the pool of bad guys.

Americans do all of these, but none will deter a determined professional. The US defense establishment does all of these on a cyberwar scale, but they won’t work either.

Here is Another Way

Simply make each component valueless and inscrutable out of context.

Look at all your stuff. It is designed to be operated by anyone anywhere. A thief can immediately identify what it is, and know its value. If he takes it to someone else, they’ll get the same value out of it.

In the enterprise systems I helped design, the situation is even worse: imagine if each door had a chart that described what was in there, what its value was and how to operate it.

Today, IT departments run general services like email differently than they do enterprise management systems, the stuff that actually does the work, but they shouldn't.

Breaking into each is easy, but those wishing to steal secrets or do real damage will focus on the latter. Knowledge of your processes is of interest to competitors and the ability to tinker with them could do profound damage. Very likely, most company’s enterprise systems have long been entered by malicious forces, waiting for instructions.

A well run shop will operate all systems under one enterprise system. Everything is there because it helps the business (or mission), right? That’s what enterprise architecture is all about, and the bits like enterprise models and systems.

The problem is that we don’t want an empty house with no doors or windows. We want friends and family, inhabitants and visitors to come and use the place to work and be sustained. So we will never have break in proof enterprise systems. (And that’s before dealing with the security holes created by NSA.)

But Suppose Everything Was Unrecognizable and Unusable

Suppose all the stuff in your house wasn’t modular and portable. Suppose it only worked in your house together with all the other stuff and it wouldn’t work at all outside the walls of the place. Any component needs the situation of the place and its other things to have any utility. Taking or copying something would be useless; they would all be dead, incomprehensible objects (possibly with tracking beacons).

It would be as if it were encrypted and the key was everything else near it, but only to those functions.

You’d still lock doors and all that, but a thief wouldn’t be able to use anything you have. In fact, you may want to give tours to potential thieves to educatethem on the futility of entering.

The US defense department knows something about this strategic education. During the cold war, it wasn’t enough to build a military that could destroy the Soviets, they had to leak certain secrets about that capability. The strategy was based on knowledge, not denial of knowledge.

The General Idea

Use two reasoning systems, one of them deopendent on situation.

As it happens, enterprise architects have spent the past few decades producing real productivity benefits but at the same time making enterprises more vulnerable. The problem isn’t in making better locks and tougher cops. The problem is in designing situation-oriented enterprise architectures. Is this feasible? Can ordinary companies build such enterprise systems practically and cheaply?

Yes, we can. And they’ll be much better in some welcome ways beyond security.

A Proposal for a New Direction

A perspective on the future of enterprise integration was recently authored by some of its community leaders, addressing potential solutions to known, vexing problems. It outlines an approach that could increase security while addressing those important problems.

In effect, it can support the household scenario described above: any intruder can’t understand or use what he is looking at. The paper will appear in Computers in Industry. A summary is:

Enterprise architectures and the associated enterprise information systems were originally intended to provide a framework for management of the entire enterprise, but in practice today they cover only a relatively small portion. That portion is typically limited to the information systems for production and logistics. Most productivity gains since World War II can be credited to these systems. This, incidentally is where relatively few disastrous problems occur and we’ve come close to running out of room for similar improvements in that area of the enterprise. So smart businesses will be shifting to the new approach anyway. What are the (non-security) problems?

One reason is the large scale of the systems involved, from simple data size to different areas. This limit follows the assumption that an enterprise model must understand a process well enough to perfectly control it. If it is thought to be uncontrollable, we leave it out of the system.

An associated problem is complexity, which takes may forms. Some are outlined in the paper, but they all boil down to the inability to discreetly model future states well enough to control them in the ‘old’ way. This complexity problem is behind many vexing issues in enterprises. A way around this is to reconsider what it means to control something. (Here you can see how this relates to the security problem. The idea of control within the enterprise is closely related to control of the enterprise.)

The paper lists a number of strategies that can be applied in the short term: reducing apparent complexity, better management education and so on. But the central recommendation is a new paradigm for understanding states, control and models. It is based on recent progress in computer science, using category theory to better understand these issues, and new logical foundations that allow one to work in terms of situations rather than states.

It is addressed to a general audience on all sides of the enterprise equation: users, suppliers and researchers. The authors are from Australia, Brazil, Denmark, India, Iran, Mexico and the US. A version of the paper that addresses security via value features is planned.