Privacy is security

People have an unfortunate tendency to think of security as a set of practices performed almost by rote, locking down known means of compromising security. A more comprehensive approach to protecting security would involve considering the things we actually want to protect with that security.

The very security practices we employ when taking an unthoughtful "best practices" approach to security often lead to compromising those principles we should be most concerned with protecting. Among the most important of these is privacy.

Privacy, as a priority for security, means we can carry on discussions with a reasonable degree of confidence that we aren't leaking personal or business secrets to the rest of the world. It means we can be candid with those we trust. It means that someone working on a new project, product, or idea can publicly release it at a time of his or her choosing. Privacy is something we all assume we have, at one time or another, whether online, talking on the telephone, or in the bedroom.

An ever-growing number of tools are being developed to provide security through privacy in an information technology context, mostly through the use of encryption. Among the most widely used encryption tools are SSL for encrypted access to a Web site, SSH for encrypted remote access to another computer, and OpenPGP for file encryption, probably used most commonly to encrypt e-mail content.

Other users of cryptographic technology for security purposes exist as well, of course, such as volume encryption for hard drive partitions to protect sensitive data in case of physical theft, content encryption for a number of DRM schemes, and unique key generation for digital fingerprint and other authentication systems. With the proliferation of cryptographic technologies and the ever-more widespread uses of them, we are now well past the point where there is any excuse for a security professional to remain ignorant of the uses, benefits, and procedures of cryptographic system deployment and maintenance.

If you want to develop expertise in security, you must develop expertise in cryptographic technology. For those of you at a loss for where to start, I recommend starting with OpenPGP tools such as GPG and SSH tools such as OpenSSH, PuTTY, and WinSCP. If you're involved in Web development, SSL implementations such as OpenSSL should be a very high priority to you.

Don't just concern yourself with antivirus software and firewalls, and consider yourself informed about security. People communicate beyond the relative safety of their own firewall-protected systems every day, and those communications often involve personal information and data that can be used to compromise the security of their lives -- not just their computers. Educate yourself on the technologies and principles of maintaining privacy.

Without privacy, you'll never be secure.