The Bruce Schneier approach to security?
I asked Bruce Schneier one of the things that currently concerns me most. How can I be secure in the cloud?
“You can’t,” he replied. “In the cloud you’ve given your data to someone else. How can you secure what you don’t have? You don’t even know where it is.”
What about data tagging, I asked.
“Doesn’t work,” he said. “Technologically impossible. How can you tag a bit?”
Just for a moment, I thought I was being given a lesson by Heisenberg. “Wait a minute,” I said. “At a philosophic level exactly the same applies to the data on my desktop.”
“That’s right,” he replied.
And that’s when I realised. Schneier, in his trademark subtle-as-a-sledgehammer style, was giving me a lesson in security: it doesn’t exist and you can’t have it. What you can have, and must aim for, is an acceptable level of trust.
On your desktop you ask yourself, do I trust this hardware manufacturer not to have installed something nasty? Do I trust my software not to be full bugs and phone-homes? Do I trust my security software to raise my level of trust to an acceptable level?
And in the cloud, you ask yourself: do I trust this supplier to protect my data, and store it in the right place.
Maybe we should rename it: infotrust…