We’re seeing the term “assumption of breach” thrown around more and more. I’ve adopted the phrase myself; it’s the most succinct description of the mindset that you can’t plug every hole in the perimeter – a fact most security practitioners are keenly aware of. My message these days is most often that we must accept the inevitability of compromise and learn to operate our networks under an assumption of breach philosophy.
My first exposure to the phrase was in late 2006 by Kirk Bailey, the CISO at the University of Washington. At the time, the concept of assuming breach was novel outside the federal community, and we both enjoyed discussing the challenges of information security management in compromised environments. The measure of a man’s intelligence is how much he agrees with you, and I think Kirk is a very smart guy.
Many attribute the phrase to the US government, based on the chief NSA/IAD’s comment in late 2010. US federal network administrators have been grappling with targeted attacks for over a decade, but I was part of the USAF’s network defense community from 2000 through 2007 and never ran across the term. I suspect Kirk’s federal colleagues took the phrase back with them and it took hold.
If you’ve got any other datapoints, email me!
UPDATE 10/11/12: I received an email from Ernie Hayden, now with Verizon Business and previously the CISO of the Port of Seattle. Ernie has written several articles for Asian Power and the Verizon Business Blog supporting the concept of “assumption of breach.” Ernie and Kirk have been colleagues for a long time, as indicated this Jan 2005 article profiling the two, when Kirk was still CISO of the city of Seattle.
Ernie also credits Kirk with the phrase in his Asian Power article: “[Kirk has] maintained [the assumption of breach] philosophy for as long as I have known him.” In our email exchange, he indicated he “learned from Kirk about this philosophy circa 2002.”
Ernie’s timeline dovetails with my personal recollections. When Kirk and I discussed the concept in 2006, it was clear he had deeply considered the inevitability of compromise and how to operate his networks in a compromised environment. I had recently left the Air Force network defense community — where discussions on the topic were frequent — and Kirk’s succinct articulation of the issues were well advanced beyond the USAF’s collective thinking. I recall being struck by how he articulated concepts in just a few words, where I and my USAF colleagues were using paragraphs.
If you’ve got any other datapoints on the history, email me!