Kathleen Moriarty

As the Balance of Security Controls Shifts, Where Does Responsibility Rest?

Kathleen Moriarty

4 min read


Ongoing debates on encryption and privacy highlight the complex dance between industry standards and policy. The outcome of these security and surveillance tussles remains open, reflecting the evolving relationship between technology and governance.

We are in the midst of a volley of "tussles" on security control points and surveillance/privacy protections. If you are unfamiliar with the term tussle, it refers to a paper by David Clark et. al. that describes the evolving dance between technology and policy. Tussles surrounding privacy and surveillance arise every so often, sometimes including a rebalance of the ownership or access to metadata.

Industry, standards, policy

The current set of tussles involves a push and pull from industry, standards, and policy with the debate remaining open as to how it will all settle out. As encryption becomes stronger and more pervasive on the Internet to protect our sessions while in transit, the ability to use traditional tools to detect malicious traffic has and will continue to diminish.

At the same time, strong encryption that cannot be intercepted is promoted as part of a zero-trust architecture and is important to adopt to prevent lateral movement. Another argument in favour of strong encryption is that it prevents having points of aggregation where all traffic is visible (e.g. intrusion prevention systems holding a shared key to access and view all data).

In the recent volley, the dance includes:

This tussle is a very interesting one, shaping significant changes on the Internet in terms of how we as an industry ensure the security of sessions, data, and endpoints. The distributed nature of the Internet along with the multi-stakeholder governance model allows for and encourages these debates. The debates typically settle out with slight differences when national laws are considered due to the slight differences in historical cultural norms between nations that we may consider similar in many regards.

In some cases, it is difficult to see through the trees when we are in the midst of change. How security is integrated into products, services, and the network itself is transforming at a rapid pace. This means that security controls will settle out differently in terms of placement and responsibility than they may have in the past.

Ideally, we wind up with a more secure, resilient, and easier to manage infrastructure as we work through these tussles. There are methods to provide security in these new models, and they may even provide improvements from the current state where security is not only built-in by design and by default but also managed on a scale.

In terms of how the controls settle out, there is another important consideration, how does the responsibility balance shift with intrinsic changes to points in visibility?

Prior observations on ECH

Several considerations were raised in this blog on the changes specific to ECH. Summarised, those include:

  • As controls managed by the organisation are eliminated (e.g. intrusion detection/prevention systems), does the responsibility to protect data and systems shift away from the enterprise? Is the browser then liable? Is the CDN liable?
  • Are enterprises still responsible for security breaches when they have little ability to intercept and prevent them?
  • Are regulatory requirements required to shift the responsibility when control points shift-left or change?
  • Does this shift-left further motivate application providers, CDNs, and browser vendors to build secure code and ensure memory safety?

Additional questions should be considered as the tussle begins to take shape as it is too early to tell what will happen with the proposal to the eIDAS. If that dance settles out as recommended in the referenced letter, a shift in balances will not occur at this time, as some technical adjustments will aid in the aims of the policy objectives, where parties work collectively.

This article was originally published over on the RSA Conference pages.


You may also like

View more

About the author

Kathleen Moriarty, technology strategist and board advisor, helping companies lead through disruption. Adjunct Professor at Georgetown SCS, also offering two corporate courses on Security Architecture and Architecture for the SMB Market. Formerly as the Chief Technology Officer, Center for Internet Security Kathleen defined and led the technology strategy, integrating emerging technologies. Prior to CIS, Kathleen held a range of positions over 13 years at Dell Technologies, including the Security Innovations Principal in Dell Technologies Office of the CTO and Global Lead Security Architect for EMC Office of the CTO working on ecosystems, standards, risk management and strategy. In her early days with RSA/EMC, she led consulting engagements interfacing with hundreds of organisations on security and risk management, gaining valuable insights, managing risk to business needs. During her tenure in the Dell EMC Office of the CTO, Kathleen had the honor of being appointed and serving two terms as the Internet Engineering Task Force (IETF) Security Area Director and as a member of the Internet Engineering Steering Group from March 2014-2018. Named in CyberSecurity Ventures, Top 100 Women Fighting Cybercrime. She is a 2020 Tropaia Award Winner, Outstanding Faculty, Georgetown SCS. Keynote speaker, podcast guest, frequent blogger bridging a translation gap for technical content, conference committee member, and quoted on publications such as CNBC and Wired. Kathleen achieved over twenty five years of experience driving positive outcomes across Information Technology Leadership, short and long-term IT Strategy and Vision, Information Security, Risk Management, Incident Handling, Project Management, Large Teams, Process Improvement, and Operations Management in multiple roles with MIT Lincoln Laboratory, Hudson Williams, FactSet Research Systems, and PSINet. Kathleen holds a Master of Science Degree in Computer Science from Rensselaer Polytechnic Institute, as well as, a Bachelor of Science Degree in Mathematics from Siena College. Published Work: - Transforming Information Security: Optimizing Five Concurrent Trends to Reduce Resource Drain, July 2020.

Comments 0