When we think of the terms safe and secure, we generally assume they mean the same thing. But do they really?
“Safe” is an adjective, while “Secure” can be both an adjective and a verb. To explain, you can “secure” something, but you can’t “safe” something, yet you can make something both “safe” and “secure”. But when
For the purpose of making what could become a complex explanation simple, I’m going to use three terms for the first two scenarios.
Local, meaning something that is within your control,
Remote, meaning something which isn’t, and
Entity, which could mean anything from a user, computer, program, data, communication, connection, process, policy, procedure, etc.
Scenario one the word “safe” as an adjective:
From the local perspective about the local entity itself, “safe” means that the entity is protected from threat of danger, harm, or loss. From the local perspective but about a remote entity, safe can mean that the remote entity is not threatening danger, harm or loss and will not be in any way contradictory to the safety requirements of the local system.
While these two definitions appear to provide the same level of confidence about the “safeness” one might feel, the latter perspective, while having a bearing on the former, does not necessarily bestow any of it’s characteristics on the local system. Just because a remote entity is considered “safe”, does not mean that the local system is “safe” connecting to, or receiving anything from it. On the flip side, just because a remote entity is not considered “safe” it doesn’t mean that the local entity is also not “safe”.
Scenario one the word “secure” as an adjective:
From the local perspective about the local entity itself, “secure” means that the entity is free from danger, risk of loss. From the local perspective but about a remote entity, “secure” is a matter of trust. Do you trust the remote entity when it says it is secure? Here “secure” takes on some different meanings, you can be assured in opinion that the remote entity is secure, you can audit the security of the remote system and have no doubt it is secure, or you can trust a third party that itself is free of distrust that says the remote entity is secure.
Given these two scenarios, does making something “secure” mean that one is “safe”?
Let’s take a wider look.
Consider now the subject of Cyber-crime. I will not go into the various levels and types of cyber-crime, or what is more often cyber-stupidity leading to a crime, but will look at the subject matter relevant to the principle of “safe” and “secure”.
In order to protect one’s information systems assets from external threat, we have always been told to ensure systems are “secure”. But does this make us “safe” with respect to cyber-crime?
There are again two perspectives. The first is from the viewpoint of ensuring your systems are as safe as possible, that is protected from threat of danger, harm, or loss. The second is from the viewpoint of forensic analysis. One of the fundamentals in Information Systems Risk management is knowing of an attempt to breach your systems.
The more “secure” you make connections to your network, the harder it is to locate and track cyber-criminal, cyber-terrorists and yes, cyber-idiots. This can be seen first hand by looking at the levels of security used by cyber-ne’erdowells.
The edge of darkness.
The people who use the Internet who are without doubt most concerned about their data, transactions and privacy are the cyber-criminals themselves. For them, a breach in their secure operations can mean a long term engagement in a government owned hotel at a high price. Namely prison coupled with high fines, sequestering of all assets and a life-time tagging by the security services.
These cyber-criminals go to extraordinary lengths to keep their identities and their activities secure. For example, using an Onion router from an Internet Cafe, one could set up a VPN account through a VPN service provider. This could then be connected to from a remote-server, which itself is connected to via a private VPN. Then from anywhere in the world, using garlic routing on an overlay network, layered over the deep-web one can set up and end-to-end encrypted communication link that is almost impossible to identify, or to trace. This is essentially what is going on within what is known as the dark-web (also referred to as the dark-net).
This allows for very secure communication, data transfer and data storage. So why do businesses that require high levels of security not use this mechanism?
In one word – “Cost”. The cost of setting a system up that would allow for such a communication link is expensive, both in real terms and in terms of performance. The identify of both ends of the communication link would have to be known to each other in some way and the trust relationship between the two endpoints, both physical and human interfaced would have to be absolutely trustworthy. This we can do already, with Identity and Access Management Systems we can build levels of Identity management and control the access of those identities. Then we would need to build an unbreakable encrypted link. This is harder. This is also the reason for the development of the Onion Routing Project at the U.S. Naval Research Laboratories (NRL) and the further development by the Defense Advanced Research Projects Agency (DARPA).