Jim Seymour wrote:
> "Marcus J. Ranum" wrote:

>> This notion that security is a matter of degree is accurate in the large
>> but inaccurate in the small. Unfortunately, we're all dealing with the
>> small.

> I must be Sith, as well. I figure it's either secure[*] or it's not.

When I first read mjr's message, I nodded at the comment and kept on
reading. After having read the rest of this thread, I think that I
agree but I also disagree with both statements. I might be splitting
hairs, but here goes:

WRT the notion that security is a matter of degree, yes it is, but when
viewed from the risk management perspective. In the Best Possible World
(TM), the selection of security controls / choices that are made when
designing the security architecture are based on risk assessments and an
organization's risk tolerance. To this extent, "security" /can/ be
viewed as relative or a matter of degree from the perspective of the
analyst and designer. However, I would argue that from the perspective
of the risk manager, a system /can/ be determined to be "secure" or not.
That's what the Certification and Accreditation process is all about.
The risk management process decides what threats it wants to manage and
how it wants to manage them. The architects design into the system a
set of controls provide the degree of control that the risk management
process requires. The system is then tested to determine whether the
controls that are in place do what they need to do. If they do, then,
as far as the risk management process is concerned, the system is "secure."

I guess that what I'm saying is that I'd like to spin things a bit WRT
mjr's comment and say: "Yes, security is a matter of degree, but at
both the macro /and/ the micro level." Yes, at the level of the
decisions taken by the risk management process (what threats to manage
and how to manage them), but also at the level of, say, firewall rules.
After all, some organization may be willing to allow incoming traffic
on TCP 139.

WRT Jim Seymour's comment, I'd like to add a caveat. A system /can/ be
defined as "secure" iff the controls that are in place are shown to
provide the level of protection and function that were required by the
risk management process.

So the upshot of this for me is that rather than talking about
"security" and "secure," I'd rather think about it in terms of being
"secure enough." If the controls that are in place meet the
requirements of the risk management process, the system is secure enough.

Hope this made sense. I've only had one cup of coffee this morning and
my blood caffiene level is still a bit low.


firewall-wizards mailing list