Aug 1, 1996
Security Begins At Home
by Gary Dunn

"Probably the only place where a man can feel really secure is in a maximum security prison, except for the imminent threat of release."

Germaine Greer (b. 1939), The Female Eunuch, "Security" (1970).

It's very fashionable to talk about security in the context of networks, particularly when discussing that network of all networks - the Internet. Encryption has become the topic of the moment, particularly as we hear of financial institutions adopting proprietary methods to safeguard communications. As the prospect of electronic commerce comes closer to reality, business is faced with a new lexicon of techno-speak describing security issues. While trying to digest all of this, an organization runs the risk of adopting a solution that does not meet it's needs.

So how can we make sense of all of this?

Why, you ask, is a lawyer writing about security? This question has an easy answer. The legal profession has a professional responsibility to honour and protect the confidences of its clients. A failure to do so can constitute professional misconduct. So we qualify to be in a conversation about security both because of the duty we owe and the personal consequences that can befall us if we fail in that duty.

We lawyers fulfill our duty primarily by ensuring that we do not gossip about our clients' affairs, and also by imposing the same obligation on our staff. More often than not, we do not reduce our staff's' commitment to writing, and when we do it is more likely to be found in a procedural manual than recorded as a written promise from the employee.

As you can see, our perspective is primarily directed at outward going disclosure - and please, no jokes about our lack of introspection. But seriously, the point is that our approach to security is governed by our perspective - which shows up in the way in which we perceive that breaches could occur.

The corollary can be said of the majority of information systems in place today. The IS approach to security is governed by their perspective - which is primarily inward. In other words, their main concern is that the "firewall" erected to protect the internal computer network from outside probing will withstand the attack. Their military metaphors used in describing security measures say it all - the IS perspective is generally a defensive one.


"The conclusion is that a balanced approach is the only to obtain an effective security solution."


The conclusion that I inevitably come to is that a balanced approach is the only way to obtain an effective solution. Any solution you adopt will need to recognize the threat of both incoming attacks (defensive) and outgoing directed initiatives (offensive).

What are some of the things that you might end up dong to protect your organization and the information of your customers?

Security breaches appear to occur internally more often than not, and the solutions to them are usually based more in practicality than in difficult to understand technology. As a result of all of this, the major thrust of any internal security effort is likely to be more of a policing effort.

It doesn't hurt to remember that we are in the information technology business, and not the security business. For those able to afford it, advice from a trained and experienced security expert, particularly one with electronic or high technology experience, can be invaluable.

Even if you are fortunate enough to be able to afford the advice, it will pay to know enough about the process to keep you involved in the policy making decisions. Avoid the temptation of letting the experts "do their thing" and ending up with a solution that is less than perfect.

An added benefit of this is that your security measures will compliment any protection scheme that you develop for your intellectual property. For example, in a previous article I referred to the need to protect trade secrets through an internal policy promoting confidentiality. Another example is that many organizations are also unaware that it is also necessary to maintain in confidence the particulars of any invention that you develop, or you will lose your right to patent it.

The cheapest and easiest part of any solution is an internal policy regarding access to information. This will involve an organization becoming aware of its confidential information, and developing policies regarding who has access to it and for what purposes. If this seems obvious, you would be surprised to know how many technology organizations are not fully aware of the extent of their proprietary information, and have no formal procedures in place that recognize its importance or take steps to protect it.

For those using electronic mail and document transfer, we can use encryption. One difficulty with this part of the solution is that by and large the available software is awkward to use. A second impediment is that there are still security issues to be resolved around the publishing of one's public key. The public key is the code published by you that a sender uses to send you a message. If the sender is misled and uses an incorrect public key, one in fact know to another, your message could end up in the wrong hands.

Secure server technology has reached the point where your IS department can prevent unauthorized access to your internal computer network.


"To a business, the customer's perception of security is all important."


We can also look to the medical profession for guidance. The medical profession is in the forefront of developing measures to secure their information. The Canadian Organization for Advancement of Computers In Health has authored a particularly good book entitled Security and Privacy Guildelines for Health Information Systems, which I highly recommend to any reader. This book can be obtained from their Edmonton Office (telephone 403-489-4553). One of the most interesting things in the book is the process that it provides to assess threat and risk, both in terms of the likelihood of the loss of information and the importance of the loss to the organization, as a way of focusing the use of an organizations resources.

To complete the picture, we can not forget your customers. To a business, the customer's perception of security is all important. And if you believe that reality is defined by one's perspective, it will be necessary for you to also ask yourself what "security" means to your customers.

I can assure you that your customers' reality will be grounded in how secure they "feel" doing business with you. And this will depend in part on their level of comfort with the different ways you adopt for doing business, as you offer your goods and services via electronic commerce.

Gary Dunn practises law in Vancouver, B.C. relating to computers, intellectual property, and licensing. He can also be reached at (604) 739-7011.