The article discusses the evolving communication paradigm driven by Web 2.0 and its implications for security, emphasizing the need for a new security model that balances user freedom with risk management. It highlights the challenge of securing data and communications in a complex, decentralized environment, where traditional models are inadequate to address emerging threats and user expectations. To improve security, a comprehensive, consistent, and adaptable framework is necessary that integrates various technologies and enhances the overall security value chain.

1. Article New Communication Paradigm and Security Present and Future Challenges Marco Melo Raposo, CISSP-ISSMP, QSAp, ABCP December, 2008

2. New Communication Paradigm and Security Web 2.0 is more than a technological trend; it poses a change in paradigm. It is also about individual need to communicate and to interact using new types of media, at distinct levels, in many distinct ways and finally, everywhere, using many types of access in a transparent way. This change is not only at the communication level, but, more important, at the personal one. Growing trend is to present a better, richer and captivating experience to users that fulfill their needs and can easily caught user recurrent attention and use. Why is that important? Because individual, group and society needs are and will continuously be the drive for technological trends and market steers and behaviors. Some one wrote in some site on the Internet: “Content is king“ and “beta is beautiful”. This translates the user necessity for a lost freedom and a world without barriers. But this translates what we really want? From the security perspective, it is also a new unveiled frontier. And, as many new frontiers, it is a Pandora box that is now open and ready to unleash a new set of unexpected events. Great capabilities, new frontiers, but new exposure vectors, new menaces and unknown terrain. The big question that needs to ask is how far are we ready to compromise to achieve this freedom and risk price? Actually, protecting communication today is presenting new challenges to security. It is already require more and better security. Since it goes beyond a technological trend or change, the answer cannot be purely technological. Still, so far we have not been able to answer to this growing necessity of more and better security. And in the situations that we do, it is at a higher cost than expected or even returned. In order to change this situation, some security paradigms and models will have to change in order to allow that security is performed and delivered in a way that it hasn’t been delivered so far. In a way that more than just delivering security, it will drive secure states naturally. Moreover, It will be required to combine the many faces of security and create synergies among them in order to optimize the security value chain and create momentums that would drive security more effortless and efficiently.

3. The Present The current vision is supported on a utopia of openness and freedom. Users want a user centric reality that would leverage personal productivity and ease data interaction. Still, it is transporting many of physical society effect and becoming trendy and fashionable. New fashions are being built, either spontaneously or artificially, either drove by profitable objectives or simply by unmet needs. Users demand simplicity, yet power and performance. Users are driven by trendy technologies and fashion. Users also have their hidden agenda and personal necessities. Users also want their fifteen minutes of fame. Someone said that the only place were people would not like to see their photos is on a speed radar photo. Internet is the perfect place for human necessities. People will embrace in a minute all type of social events, hubs and networks that would fulfill those same necessities. From the human perspective needs and expectations will rise and demand more of the existing technologies. They will also drive more innovation and a faster pace in the mutation of the environment, deeply affecting security enforcement, either by disrupting existing implementations, either by demanding more effective, but at the same time transparent and enabler security. As a consequence of human needs, we will also have business, with an economic driver and, sometimes, a social one. They will seek primary to drive business transactions or business optimizations. They will also seek better and simpler interfaces with customers and richer and evolving experiences in order to keep them and attract new ones. This will lead to permanent reinvention of new tools and interfacing mechanisms. All this visions and concepts are based on a complex set of resources, technologies, innovations, media and virtual concepts. From the technical point, this entire new web 2.0 is based on Internet platform. By definition, this presupposes the existence of a huge set of networks interconnected by core networks and common protocols. Currently, it is a very heterogeneous environment and it has under its umbrella very distinct physical communication channels and end networks, some of them private and masqueraded. Studies developed reveal the Internet is organized in a tree architecture.

4. Still The Present The core is rather transparent to the user, it routes huge information volumes of distinct types, sizes and priority levels. It also consolidates several information from several technologies and media. On the other hand, edge operation is relevant to user. Individuals want flexibility, power, transparency and reliability. While the core is relatively simple, edge functionalities are achieved through the existence of serving services, technologies, clients and other resources that ensure the whole edge ecosystem. Truly most of the edges survive on upper layers of protocol stack while the core lives on the lower ones. End user is now requesting ubiquity. This means “always on” and everywhere, independent of the type of resources available at that time. The impact of this necessity for security is huge. It means that security cannot be channel dependent or just ensured in a specific scope. The security level cannot be supported only by a unique mechanism and security deployment must support permutation of the available resources. But edge security issues are not only at the infra-structure level. New services are being delivered every day. New types of media, derived as sub-products from existing media are being brought to day light every week. So we can protect a data in a direct level. But, with the current models, are we able to ensure that data sources from second or deeper degrees have the necessary protection information that will ensure our capability to protect that same data? In fact no. Current models do not enforce any type of privacy or integrity models. Moreover, they not even allow embedding control information that would proxy security requirements and ensure that those requirements are fulfilled ahead. As the time we speak, growing complexity and power processing is required to deliver all the functionalities and services that we had the imagination to create. Simultaneously, the processing power is moving to the edges and end users, being decentralized and transferred from server side to client side. This trend is imposed by the exponential growing of users, uses and its frequency. While so far we had data being manipulated at the services side, we now face more and more raw data flying on the wire and transformed at its destination. Communication channels will growingly focus on data transfer. At the security level, this will impose huge problems and will require consistent solutions. While until now we could have data stored in contained environments and presented in contained interfaces, we now have the same data flying over the wire in raw mode and being processed, with security properties enforced at the end point.

5. What will we be facing? New risk vectors will arise. Current security is based on a set of standards that present security issues and cannot respond to security necessities at a global scale. The present is already bringing security in a best-effort approach, without the embedded security and reliance mechanisms to ensure stakeholders needs. New protocols and solutions are being created without security. More poorly executed protocols to handle. Same mistakes, new web. Risks are also moving on the protocol stack and migrating to upper levels. Adding to the traditional and accounted risk vectors, there are also emerging risk vectors. New menaces that are not yet perceived and analyzed from a risk management approach. As an example you can think of all the social information that is being spread through the innumerous services of social networking available. This, will certainly, present a new menace, or, in the best case scenario, an old one in a new form. The fact is that human behavior and relations will drive security needs to the next level. The current trends in human communication and social interaction are already creating new security leaks regarding information. The intrinsic human needs will profoundly affect the security of the information and the privacy of the person. This is already a perceived trend. Innovation factories like Google and other industry giants have already adopted disruptive strategies and moved from the core to the edges near the user. They are both acting as an accelerator and at the same time exploiting the human needs, supported in the propagation capabilities provided by human nature, and acting as leverages. However, this is actually a cross road. The fact is those capabilities can be used in many directions. From a security perspective they can be the differentiator in enforcing the right solutions for security or simple the destructive mechanism that will, like a worm in a network, stall the human network and general communication. Connecting all this potential to the information itself, it lead us to the question if a discretionary model has real probability of succeeding in the task of creating enforcement mechanisms and actually protect the information itself.

6. Security Today The protection of data and communications today is mainly an isolated act. Mostly, data owners are concerned with their own boundaries. People do tend to establish clear frontiers and just look security inside those lines. However, security is like an iceberg: You only see the top. Below the water you have innumerous systemic interactions and mental models. It you start dissecting and building a mind map of security, you realize that mostly every subsystem is connected. Events and effectiveness of implemented security is pretty much affected by a single variation inside the ecosystem of security. Further to that, you have a lot of mental models put in place for security. You can find stakeholders with distinct and very different perceptions of security. Some people face security as a cost, while others only see the qualitative value and override de embedded costs for its implementation. If we try to perceive it from a value chain perspective, we can see that it is not optimized. Instead, if is full of redundancies, inefficient approaches, encapsulated costs and holes. The bottom line is that current Security value chain is not optimized and embedded on the business value chain. Consequently, more investments are made and less return is perceived. Due to a strong perceived necessity in correcting current security investments and risk level, the investments are focused on capital expenditure that deliver mostly remediation solutions. However, this expenditure frequently has limited results and the remaining non optimization leads to higher operational expenditure that, when perceived by decision makers, is frequently avoided. In long term this has continuously lead to a restrain in security expenditure and to deployments with high TCO derived from inefficiencies and reactive posture from the actors.

7. The Future We start to realize that enforcing security today is more that deploying controls but to find an operational solution to act on this complex system. It is pretty much easy to perceive that the task of enforcing security has the characteristics of an odyssey. Road is long, unfriendly and will take place in an heterogeneous and aggressive environment. Furthermore, the probabilities of a successful implementation, with optimized value, are residual. So, what will make security in the future? The simple answer is that we need a working model. So far, information society has evolved without a working model. Opposing to the physical society that we know and that had thousands of years to mutate, grow and adapt, information society universe has only been born some decades ago but has grown since them, with an incredible growth and mutation rate. However, the stating of a need is most certainly the easy part. Building an effective model and putting it in practice is the challenge. Any new security model that aims to succeed will have to account several and more complex necessities: Security model – Any adopted approach or security model must enforce a discretionary approach to the data. At the same time, if must allow classification information and other security information tagging so that proper handling can be performed by others. Consistence through the ecosystem – Any approach to security that aims to effectively enforce security must be consistent with the existing diversity of technologies and through the ecosystem .The environment must be homogeneous and level security capabilities between different technologies, platforms and functional blocks.

8. The Future Systemic – The security deployment must be systemic. Parts cannot perform isolated and must integrate in a broader system. Systematization will avoid interfacing vulnerabilities and will optimize security Propagation – Security must be deployed in a way that it would propagate through the environment either horizontally, either vertically Ubiquity – A model that works for both core and edges of Internet. Distinct but compatible models can be created. However, models must coexists and be fully The Whole Theory - The model must be enforced intrinsically at a micro level and applicable at a macro level. It must respond to specific necessities for each specific context Also, the model must account for data encapsulation and virtualization and enforce security properties. It should protect data in distinct forms and reincarnations. In practice, a “string theory” for security. Attractiveness - The needs of the involved stakeholders must be accounted and the model itself should be attractive enough be implicitly embraced by all the stakeholders. Adaptability – Must support a mutation factor and have adaptation capabilities to survive through natural and rapid changes. It is most likely that we will fail in the near future. Security has always been approached in a reactive way and the current changes will require a structural approach. It will require our personal awareness and contribution to the process. As in many things in life, the need will make the way.

9. The Author Marco Melo Raposo http://www.linkedin.com/in/marcoraposo Presents ten years of professional experience in security market, with experience of Enterprise and Government arenas at international level. Master of Business Administration, CISSP-ISSMP, QSAp and ABCP, He has authored several security-related articles published in Portuguese newspapers and magazines and his a regular speaker in several and various Security Conferences and Presentations.