What to know about Need-To-Know

Need-To-Know (NTK) is a security concept with military origins.  In computer security, it’s called the principle of least-privilege.  And in the field of security engineering, it’s called security through obscurity.  A less than polite definition; which I’m sure everyone can relate to is: making it your business to ensure that everyone working for, around, or with you, is minding their own business.  Okay, so here is a classic example of NTK in use today:

The US Bullion Depository at Fort Knox, KY.  Everybody knows where it is, and what it contains.  The information requiring a NTK, is the specific details of how the bullion is being protected.  That information is contained in the facility’s Operations Security (OPSEC) plan.  The security of the bullion depends mostly on you not knowing what the entire OPSEC plan is.  Controls exist, so that each person knows only the amount of information, from the plan,  necessary to do their particular job.

As individuals, we constantly make informal NTK decisions, as we go about our daily lives.  Hopefully we only disclose our credit card and social security number to those who really need it.  We make decisions on whether to leave our cars locked or unlocked, without telling anybody.  And in bars, chat rooms and at parties, we obfuscate information about ourselves; until we know the other persons better.  The consequence of making a wrong NTK decision can result in unauthorized use of our information, be it deliberate or inadvertent, in ways that cause various amounts of damage to our reputation, finances, and lives.

A security purist would argue that enforcing NTK is an exercise in futility, because all information can eventually be discovered and used against you.  That statement is true; but NTK has a practical, immediate use as well.  It’s called a competitive advantage.  It is the foundation upon which trade secrets are based.

If you possess one or more information assets, that you believe require NTK protection, the following factors should be considered:

  1. What is the expected benefit from using NTK to protect the information?
  2. What kind of damage would occur if the NTK was broken?
  3. What are the costs of implementing, maintaining and enforcing NTK procedures?

The last item is very important.  If what you are protecting is BIG (like the secret “Coke” formula), the costs can quickly become unmanageable, without the proper amount of planning and control.  For a limited number of information assets and persons, NTK can easily be accomplished.  But beyond a certain point, NTK is no longer a DIY project.  For any organization with more than a few people, it must become a team effort; requiring input from people with security, legal, financial and human resource expertise.

If done correctly, both individuals and small organizations can benefit from NTK.  If done incorrectly, NTK becomes a frivolous and potentially embarrassing management exercise.  For a consultation, to determine if NTK is right for you, please contact The Assurer.

Spread the word!