Cloud Storage Threat Models

It is likely that readers of this blog know where I stand on cloud storage.  I have been fairly outspoken against the practice of storing personal data in the cloud.  Unfortunately, I realize this may be an untenable solution for many who desire – or even require – the ability to use and access cloud storage.  Even I had a personal experience recently that made me re-think the utility of cloud storage.  Cloud storage does offer the benefit of being a strong hedge against data loss.  Losing data can be crippling for an individual, and even more so to a small business.  With these factors in mind (and at the request of a reader) I have taken a look at some cloud providers and developed some cloud storage threat models.

Continue reading “Cloud Storage Threat Models”

On Balancing Security, Safety, and Convenience

There is a long-standing adage among security “people” that says convenience and security are ever at odds (or perhaps a bit more precisely put, inversely proportional). As the convenience of a given system goes up, its security will necessarily go down. Generally speaking this is true.  The convenience of a system is lent to authorized and unauthorized users alike. I would like to deal with specificity rather than generality in this post, however, and closely examine the relationship between these two concepts and one more.

Safety is the other factor that that I would like to bring into this discussion. Though safety and security are closely interrelated and often used synonymously they are different and must be examined as separate phenomena. Before we go further, I should tease out the difference between the terms safety and security.

Safety v. Security

Safety is, at its essence, protection of life and prevention of injury, caused primarily by accidents and mishaps. A manufacturing plant may place great emphasis on safety by implementing a “Safety First” campaign, installing fire suppression systems, placing eye-wash stations throughout the facility, and having an EMT on duty. All of these steps make the facility a safer environment but none of them increase security at all.

Security is typically defined as protection against criminal acts, and may or may not refer to the protection of people. The same manufacturing facility in the example above can install CCTV cameras, high security locks, an ominous chain-link fence, and an access control system to sensitive areas, all of which increase security. Unlike safety measures that do not make the plant more secure, these security measures may make it safer against certain threats while simultaneously making less safe against others. With the security measures, the employees are safer against criminal acts that would result in death and bodily injury such as a disgruntled gunman or a terrorist act. Depending on the implementation, however, the security measures may make it more difficult for employees to egress in the event of an industrial accident, lowering the overall level of safety.

Though all of the examples I have cited thus far pertain to physical safety and security, convenience, security, and safety are all factors in the digital security realm, as well.  Though the protection of data systems and data from power surges, natural disasters, hard drive failures, and other mishaps (typically through backups) is lumped in with “infosec”.  It would perhaps be more appropriate to call this type of protection “infosafety” (to coin a term).  Protecting these same infosystems and their backups from deliberate human threats is an approriate use of of the terms “infosec” and “information security”, however.  Finally, convenience plays a huge roll in infosec and “infosafety”.  Both infosec and infosafety can be at odds, though it may seem counterintuitive.  It would be very safe to have data backups on multiple hard drives and in mulitple cloud providers.  It would be even safer if these backups were unencrypted; encryption introduces the possibility that the data may not be able to be decrypted when needed.  This system would be very safe but it would also be incredibly insecure.

It is entirely possible for a system (whether digital, residential, commercial, industrial, et cetera) to be both safe and secure. It is also possible for the same system to be very secure but unsafe, or to be very safe but insecure; the distinction is in the dangers that are primarily protected against.

Security v. Safety v. Convenience

Convenience is also in competition with security. Generally speaking, the more convenient a system becomes for the user, the more convenient it becomes for an attacker and security is subsequently lowered. For example, employees at our exemplar facility may tire of having to use a key to gain access back into their workspace after smoking and leave the door propped open. This is a convenience measure in the interest of the individual employee, caused by the security measures that are in the interest of the plant’s owners or managers. This also impacts safety, since an open door will not prevent the spread of fire or dangerous gasses that a closed door would.

In closing, a physical security system must balance safety, security, and convenience. It must be safe for the occupants, secure against outside threats, and convenient enough that the system will not be overridden. In digital systems (at least at the personal user level) have no requirement for safety, but they should still balance security and convenience. The designer of the system (the homeowner or Chief Security Officer) must weigh all of these considerations when implementing a system. He or she must also monitor use and be willing to adapt the system or provide user training based on usage patterns to achieve maximum compliance.

The convenience of a system can impact both its safety and security.  It is not secret that as many security and safety processes as possible should be automated.  Things like backups, updates, and encryption should happen with as little user input as possible to ensure compliance.  When a system becomes overly complex, users will opt-out of the security of a system; this is when things like leaving computers on and unlocked being to occur.  The convenience of a system should be weighed against the risks the system faces and the tolerance of its users for security measures.  Make a system too secure and pretty soon it is far less secure because users will begin bypassing the security to achieve a balance, an equilibrium, a stasis of safety, security, and convenience.

The Point

This topic is especially germaine to me both in the writing of books on security, and in convincing my family and friends to adopt encryption and other security measures.  There is a constant struggle between the two, and those who do not have a specific interest in security and/or privacy typically have a very low tolerance for inconvenience.  Why do I recommend ProtonMail over Thunderbird with GPG/Enigmail?  The latter is certainly more secure.  Why do I recommend Cryptocat over ChatSecure when ChatsSecure is more secure?  I do so because I want to encourage participation among those who have little interest.  As security becomes more convenient through services like ProtonMail and Tutanota, perhaps a significant percentage of people will choose to adopt security.