Sunday, March 3, 2019

Information Entropy as applied to Securing Information

Entropy seems to be a pretty difficult concept to grasp.  And it can be slippery, but the basic idea is that a certain energy is associated with certain conformations, more for some, less for others.  Entropy says that moving from a lower energy conformation to a higher energy always requires an excess of energy.

The classic example is a teacup on a table.   The maker of the teacup invested considerable energy to gather materials,  form the cup, and bake it into its final form.   And finally , someone lifted it against the pull of gravity onto the table.  This energy is partially stored in the conformation, but some fraction of it is lost, essentially forever.

If the teacup is dropped, the stored energy of the gravitational pull immediately begins to be released, culminating in a final release of energy when the cup hits the floor, shattering and releasing much of its stored conformational energy. Entropy says you can't ever get the cup back the way it was without, that is, expending a tremendous amount of energy.

Now applying that principle to information security, consider a database containing sensitive information, such as a credit database.   That information has been gathered over years of people entering it, using credit cards, data feeds sending it to its ultimate home in the database where still more energy is expended to tabulate and collate it.  Finally, energy is expended to "secure" the information.  Physical security is energy expensive.   Logical security is as well, requiring devices, programs, and people to implement and , hopefully, maintain.

We are not surprised that a teacup falling from the table shatters and is lost, so it shouldn't surprise us that information systems are just as easily shattered.   What's the difference?  The big difference when applied to information security is that when a security system shatters, the spilled data, unlike tea, is now available for anyone to slurp up.  Moreover, the information itself isn't consumed, it is available for any number of slurps.  And is still available, even to the system whose security was shattered.

Unfortunately, if it is your information that is "spilled" that means you can't put it back in the cup.  As Rep. Debbie Dingle of Michigan said of the recent Experian breach, "You can't change your Social Security number and I can't change my mother's maiden name. This data is out there forever."


No comments:

Post a Comment