Eleanor Saitta on security as a product of shared human outcomes
The O’Reilly Security Podcast: Systems, design, and emergent social structures.
In this episode, I talk with Eleanor Saitta, a security architect at Etsy. We talk about how security isn’t really about what happens to computers—it’s about what happens to the people using those systems; the relationship between design and security; and shifting the industry’s focus to think about security as a product of shared human outcomes.
Here are some highlights:
Security is about what happens to people, not machines
No one cares about what code is running on this machine or who authorized it or anything like that, except to the extent that it affects some human being. Now, because in many cases we don’t have other options that don’t involve interacting with some human being, we effectively do really care about what code runs on the machines. Of course, I don’t want to pretend that the low level doesn’t matter. Starting from that high level is beneficial in its ability to teach us what we actually do care about in the low level systems, and to highlight different ways of defending against attacks, or understanding attacks, that we wouldn’t necessarily see if we only looked at the code.
The relationship between design and security
One of the things we hear about is security architecture and security design, where architecture is the big-scale stuff, and design is the little fiddly details. I’m not talking about that. I’m talking about the things that your UX team might be doing—looking at business rules in systems, looking at service design. Again, not from the technical sense, but from the sense that this is a piece of bureaucracy or an organization that’s going to be interacting with human beings. What are the services that this bureaucracy or organization provides to these human beings, and what are the touchpoints for those interactions? It’s designed way up at that high level, not at the level of the technical systems themselves.
Security people understand this whole set of tactics they use to stay safe, but they don’t necessarily understand how their tactics relate to people’s lives and the position from which they’re interacting; they just think they’re pre-existing things in the world. There’s a real challenge there around how you get security people to see the things that they’re already doing as structures and tactics and design responses that can then be [re]designed again.
Security as a product of shared human outcomes
[Etsy] is a really different kind of security organization, where the goal is not to be at all adversarial. In fact, a lot of effort has gone into getting away from that adversarial relationship. I think that as soon as everybody understands that, “Hey, we’re all working for this collective good outcome,” it’s actually much easier to stay in that mindset of, “let’s get there. Let’s make sure that we don’t get too off course.” As long as you’ve got security as the gatekeepers in the combat boots who are going to stomp all over everything, it’s not going to work. You have to have a collaborative approach.