Home > All, Security Issues > The Bruce Schneier approach to security?

The Bruce Schneier approach to security?

September 22, 2010 Leave a comment Go to comments

I asked Bruce Schneier one of the things  that currently concerns me most. How can I be secure in the cloud?

Bruce Schneier: photo by Doug Logan

Bruce Schneier

“You can’t,” he replied. “In the cloud you’ve given your data to someone else. How can you secure what you don’t have? You don’t even know where it is.”

What about data tagging, I asked.

“Doesn’t work,” he said. “Technologically impossible. How can you tag a bit?”

Just for a moment, I thought I was being given a lesson by Heisenberg. “Wait a minute,” I said. “At a philosophic level exactly the same applies to the data on my desktop.”

“That’s right,” he replied.

And that’s when I realised. Schneier, in his trademark subtle-as-a-sledgehammer style, was giving me a lesson in security: it doesn’t exist and you can’t have it. What you can have, and must aim for, is an acceptable level of trust.

On your desktop you ask yourself, do I trust this hardware manufacturer not to have installed something nasty? Do I trust my software not to be full bugs and phone-homes? Do I trust my security software to raise my level of trust to an acceptable level?

And in the cloud, you ask yourself: do I trust this supplier to protect my data, and store it in the right place.

Maybe we should rename it: infotrust…

About these ads
Categories: All, Security Issues
  1. Harry
    September 22, 2010 at 11:18 am | #1

    I don’t think it should be Trust that we’re looking for from our technology and providers, we already have to trust them – what we want is trustworthiness.

    Trust is simply what you have to do when you can’t be certain of something – like our current situation with regards information security. When I get on a plane I trust it to have been properly maintained by its owners, if I discover that an airline has not been doing so then they cease to be trustworthy and I decide to fly elsewhere. It should be the same for Cloud suppliers.

  2. September 22, 2010 at 9:21 am | #2

    Bruce has been my hero since I bought Applied Cryptography all those years ago. Tells it like it is.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 127 other followers