Beyond OSI Layer 7: Carbon-based Vulnerability and Business Risk
Sam Curry is a member of the Cyber Resilience Think Tank, and a guest writer for Cyber Resilience Insights.
The Open Systems Interconnection model (OSI) for computer communications has roots in the 70s and early 80s and uses a 7-layer abstract architecture that has become the de facto way of describing communications and protocols on the Internet.
In other words, it’s how we think, build and manage the Connected World from mainframes with IP addresses to the Internet of Things (IoT) and from your trusty laptop to your rusty mobile phone.
Extending from this, the term “layer 8” has become popular for referring to the squishy, carbon-based lifeforms somewhere between the keyboard and the chair who are guilty of many things like spreading germs, clicking on too many things and picking silly passwords. However, it’s that pesky layer 8 - and perhaps a 9th layer - that we’ll look at that are both the real customers and the thing we should be paying most attention to.
Let’s start with the first principles of business and IT because the biggest problem in security isn’t detecting things, it isn’t fixing them. And it isn’t even efficiency in the security department; it’s alignment with the business.
Business exists to take acceptable risk for acceptable return. Plain and simple but quite complex, too. If you want no risk, turn everything off and turn your money into a commodity that has stable, lasting value like gold or perhaps a rarer element. We create companies to take risks, and to turn our capital into machines that make money rather than sitting inert in a commodity form. IT as a business functions seeks to maximize the number of transactions possible for a business in a digital age as a reliable, repeatable business function. Risk is managed throughout all of this, and at the heart of it is connecting users, from employees and partners to suppliers and customers, with each other. They are the stars of IT, the elements that need to connect and do things together.
Enter security. Security in most companies has grown up as an intense, specialized discipline that tests boundaries, assumes malice-of-intent and by its very nature both kicks tires and looks for single points of failure, bottlenecks and where it can all go wrong. This is antithetical to those who build in the same way that those who create often hate critics in the arts. However, critics are incredibly valued when they in fact make the art better constructively. And like art, security is never perfect by its very nature.
Layer 8: The Customer Is Always Right
Which brings us back to layer 8. We ultimately exist to connect users with each other and with data, and the purpose of security is to make the transactions at layer 8 possible with as little interruption and as intuitively as possible. The purpose of the first 6 layers in the OSI stack is to enable the 7th layer of two machines to work together. Given an 8th layer, it becomes obvious that it’s about connecting people with each other. That means we can’t say the user is to blame for a bad password or other security transgressions. If security doesn’t serve the users, it is working against its own goals. There is no “ID-10-T” error, as we used to say in a security support group I worked with years ago.
This means that security that isn’t designed for the end user is bad security. There is almost never an ability to say “I had a good policy, but the user was the problem.” To some extent this is a lot like the saying “the customer is always right,” which is also almost always true. However, the point is that we need to keep in mind processes and be user centric.
Friction in the user experience is bad, waste is bad, slowing is bad, disrupting their workflow is bad and so on. This doesn’t obviate the need for participation in one’s own rescue and good security discipline. That will always be needed, but it is a mentality for security folks to always seek improvement and to take radical responsibility and ownership for protecting users and not blaming them.
In brief, this is the agile manifesto for security: adapt, own your code, put the user in the center, decrement what is not working, incremental improvement over delayed perfection.
What To Expect From Layer 9
Which brings us to layer 9, which at the moment is a bridge too far but is worth mentioning because we are currently forming digital tribes and are in an election year. Just as layer 8 is people, it’s arguable that there is a 9th layer made of groups of people. And while it is perhaps beyond the purview of security departments, it is not beyond the purview of groups of security people, collectively, to seek to secure layer 9, too.
If a threat at layer 8 is a phishing attack, a confidence scheme or even holding someone at gunpoint, a layer 9 attack is the domain of meme wars, propaganda, cyber swarming, misinformation and disinformation. I am not suggesting that we need RFCs for political conventions, but this is where we can think of involvement in the confidence, integrity and availability of elections, constitutional processes and human rights as a natural extension of what we already do in the other 8 layers.
Want more great articles like this?Subscribe to our blog.
Get all the latest news, tips and articles delivered right to your inbox
You will receive an email shortly