In 2001 the Nobel prize for economics was won by a paper called ‘The Market for Lemons’.
This intriguingly named paper describes the hazards associated with the seemingly simple task of buying a used car from a dealer.
Pay a visit to any car dealer’s lot and you will typically see a large number of freshly washed, shiny cars that have been polished to within an inch of their lives to appeal to prospective buyers.
Now, some of the cars on the lot will have been owned and driven by the proverbial ‘one lady owner’ who has only driven the car on Sundays, never in the rain and never faster than 70kmh – that’s the car you want to buy.
Unfortunately, some of the other cars on the lot will have been driven by the careful lady’s teenage grandson who has regularly raced the car around the streets till the wee hours and never changed the oil. That’s the lemon; the car that you don’t want to buy because it will be unreliable and probably cost you a lot of money in the long run.
As a buyer, the problem you face is telling these two cars apart. Once they’ve been washed and polished and put on the dealer’s lot they look identical. In other words, it’s nearly impossible to tell which one is the lemon. This creates a huge information gap between the buyer and the seller and this asymmetry, ultimately, creates a dysfunctional market. As the Market for Lemons explains, this will eventually drive high quality products out.
Economists suggest that the solution to this problem is to create what’s called a buying signal; some independent way of showing the quality of the product. One obvious way you might do this with a used car is to get it tested by a reputable, independent mechanic; one who has the skills to spot the lemon. That’s why it’s not uncommon to see dealers get pre-purchase inspections on their cars by an organisation such as the AA or RAC, who can boost buyer confidence that they are buying with a high-assurance of quality.
It strikes me that this problem also exists for buyers of encryption technology, or of security products in general. It’s understandable that organisations seeking to more widely deploy encryption are looking for guidance to help them navigate a landscape of complexity and vulnerability; much of which is due to poor implementation.
Not all encryption is the same, so as a buyer how can you tell good solutions from bad ones?
When it comes to security products, there are signals that can help you make an informed choice about the kind of products you buy and you should be aware that they exist.
For example, governments and enterprises around the world often mandate that only products that are certified to recognized standards, such as FIPS 140-2 (US) or the Common Criteria (International,) be used to secure their environments.
I’m not suggesting that a product with FIPS or Common Criteria certification has any sort of guarantee of perfect security. Even with the best will in the world, all security products need to be tested, maintained and patched against emerging threats. I am suggesting though, that that these certifications provide some sort of signal that may help your decision making when looking to deploy high-assurance security solutions.