The Heisenberg Principle of Security vs. Privacy
Often spoken in a single breath—security and privacy—they are nonetheless orthogonal quantities in many aspects. Enforcing security often means compromising on privacy, and vice versa: a perfectly private conversation cannot be monitored for security.
The intuitive example is data leakage and corporate espionage. If we allow our employees to encrypt their email, we cannot ensure that no confidential information is communicated to untrusted parties at the same time. Solving this problem with an endpoint agent to peek at email before encryption once again breaks privacy. This balance is what keeps security an interesting field: technical solutions exist to improve both, but drawing the line between security and privacy remains a human matter.
I usually refer to this as the “Heisenberg Principle of Security vs. Privacy”, in reference to the quantum mechanical law that states the position and velocity of a particle cannot both be known precisely. Measuring velocity accurately implies the exact position of the particle cannot be determined, and vice versa. The reality of security vs. privacy is that there are similarities, although it is not quite the same.
In a similar fashion, hackers use encryption to ensure their activities are harder to detect. An IDS (Intrusion Detection System) cannot decode encrypted traffic so attacks are harder to identify. Theoretically you could outlaw any encrypted traffic on the intranet to quickly spot illicit activity. This improves security, but completely dispatches with privacy. How much security would you gain? All communications are now unencrypted so a crafty adversary also has all the data for the taking. Clearly, the “no privacy” end of the spectrum is sub-optimal as it creates a very fuzzy impact on security.
So how much privacy ought we give up to ensure sufficient security?
Generally, this comes down to questions such as:
- May corporate resources be used for personal tasks?
- What is the balance between fine-grained access control and the complexity of the management?
- How much training and awareness should we provide to the workforce?
When it comes to security and privacy, I advocate people instead say “security vs. privacy”, just so we recognize the complexities involved. Generally speaking we must judge the value of our data, the mission of our organization, and the attack surface of our services to make a judgement call how much privacy we are willing to give up to gain the level of security we need.