Thursday, August 8, 2013

Strategy for Security: A Pure Bargaining Model

The Stalemate
Strategy development can be thought of as a form of bargaining in my opinion, where security and audit, each with a stake in the successful implementation of the strategy, arrive at the table with specific agenda, putting forth and withdrawing arguments, driven by expectations of what the applications, infrastructure and support teams will accept or reject, and depart the table with an agreement that satisfies fewer goals than what they hoped to achieve to begin with.

Formulation of a roadmap for enterprise security is not concerned with the efficient application of forces like power and influence, as much as with the exploitation of potential synergies coming from the combined gain at stake for all involved. It is concerned with the possibility that particular architecture-driven operational outcomes are better (not worse) for all parties involved.

‘Pure’ Bargaining
Achieving consensus on a strategic roadmap for enterprise security can be modeled as a form of pure bargaining- a term used to describe bargaining in which each party is guided mainly by his expectations of what the other will accept. With each party guided by expectations and knowing very well that the others are guided by expectations too, these very expectations begin compounding achieving an effect that leaves only one exit path, someone making a final and sufficient concession to resolve the deadlock.

This result is quite contrary to the fact that actually, there is a range of possible architectures of which any single one is acceptable to all parties than no agreement at all. To insist on any one of the agreeable alternatives is a form of pure bargaining, since either party would take less than their dream solution than nothing at all because that would only cost money, and it leaves the firm no better off than what it started with. Either party would take 'less' also because it knows that 'receding' to reach agreement is also an option at any point in the process, since there is no reprimand for agreeing after disagreeing!

The underlying tactical approach is especially suited to Security because the essence of pure bargaining tactics employed is the voluntary and irreversible sacrifice of a position of strength in order to reach a point of advantage, even though the advantage is somewhat diluted. It is the paradox that the power to limit the adversarial parties stems from an ability to confine oneself to a smaller range of choices- to give up some freedom of choice to gain leverage in a pure bargaining situation.

Quick Case Study:
Authentication Strategy Case in point is creating a strategy for achieving seamless authentication across the enterprise. The applications architect might not want a reverse proxy solution for an authentication gateway because he already owns a farm of proxy servers that service web requests for his applications. He prefers an approach that augments the existing technology instead of stacking another farm of reverse proxies in front! The security architect advocates the use of a virtualized object space that a reverse proxy enables you to create because it helps manage authorization in the long run. The audit manager cares more about the security perimeter than the specific technology stack within the perimeter. The infrastructure architect wants homogeneity in hardware across the technology stack to ensure his team has a manageable learning curve in order to support the solution. The helpdesk manager is worried about how users might be impacted no matter which alternative is picked as the authentication architecture.

In the scenario depicted above, the application architect is negotiating from a position of strength because he owns the applications, the infrastructure architect is also negotiating from a strong position because his stake is already in the ground- a certain type and model of hardware is powering the business applications! However, they don’t just get their way because the security architect has a point too. Creating a single reverse-proxy based gateway eliminates any instrumentation at the proxies the applications architect owns, and also provides a long run alternative to finer grained authorization should the business need it. The audit manager might appear to be neutral to the discussion, but knows that adding a reverse proxy widens the security perimeter and requires thorough security compliance certification of the reverse proxy servers. This is more work and more risk for an otherwise smoothly running operating firm!

Strategic Moves shrink the ZOPA
I would be remiss if I did not talk about how the perceived bargaining set for each of the participants changed at each bargaining step, and also how the parties who were in a position of strength changed their expectations in observation of how well others accepted or rejected their ‘shifting’ bottom-line or ‘reservation price’ demands. The zone of possible agreement (ZOPA) initially is very large as all parties in positions of strength seem to have inflated perceptions of their non-cooperative alternatives and won’t give in without a fight. Pure bargaining tells us that someone has to concede for the stalemate to be resolved in the favor of achieving a ‘surplus’ outcome- one that results in all parties gaining something by participating in the process. At each bargaining step the zone of possible agreement shrinks as the weaker participant, the security architect evaluates the expectations of the stronger parties, navigates the terrain, uses his expertize to model impact to business, to user and to long run utility of choosing between the different alternatives to not only improve his alternative but also to worsen the other side’s alternatives at the same time.

The Concession
Experience reveals that the application and infrastructure architects have to let go, albeit selectively, of their biases towards pure proxy and homogenous hardware to accommodate the setting up of a reverse proxy as best response for a segment of applications duly benefiting from one, and an alternative solution like a plugin for proxy servers that is a best-response to another segment of applications. The audit manager has no choice but to add to his inventory of tasks the ‘seal-and-certify’ of all new components to avoid triggering an end-of-year audit. The helpdesk manager also will duly ask for process flow and user impact analysis from all parties concerned. Examples illustrating pure bargaining tactics abound in security strategy formulation.

To learn more about Prolifics, visit

Javed Shah is a Practice Director for Security at Prolifics with more than 12 years experience in identity and access management architectures. He has broad exposure developing identity and access management solutions, and system software components that deliver reliable data security, web enablement and user lifecycle management services to customers. Before joining Prolifics, Javed founded and ran a professional services company in India for 6 years. Spanning over a decade, Javed has led identity management projects to successful exits at Nestle, University of California San Francisco, Kaiser Permanente, ABM Industries, BRE Properties, UPS, Tampa General Hospital and E*TRADE Bank. He was also the leader of the ITIM Level 3 defect resolution and analysis team in India where he was responsible for handling all customer defects for North America and Asia. Javed holds a Bachelor’s degree in Computer Science, a Certificate in Implementing and Managing an Enterprise Architecture using the Zachman Framework and the CISSP certification. He is also currently pursuing an MBA from the Haas School of Business, University of California Berkeley.