A ten-point plan for disrupting security

We live in a world where our data and our desire to access it know no bounds. We are aware of security, but we just want access to work and not to have to think about it.

We know that we could be vulnerable to hacks, phishing, identity theft and data loss, yet we rely on the protections afforded to us by service suppliers.

Let’s consider this in a commercial context.

We move more and more workloads to the cloud, and by cloud I mean the public cloud. We demand it to be secure, yet we still feel that we need to secure everything, irrespective of location or ownership.

So there I am in a meeting trying to understand why I am still trying to run and maintain security infrastructure that would suit an organisation with no cloud adoption, rather than one with more than 60 percent public cloud.

My organisation has numerous services delivered directly from public cloud. My access to these is generally from mobile devices or from outside the organisation across the net. So what is all this security infrastructure protecting?

I have tested and am relying on security provided by the cloud service provider, yet here we are with high availability firewalls, intrusion detection and prevention systems, a DMZ that spans two racks, yet no real feeling of security, or visibility of security issues.

And there's the problem. No matter how many firewalls or other on-prem security apparatus that run, my growing use case of relying and utilising capability, including security from cloud providers, is generating a need to rethink security.

Complexity ISN’T Security

Yes, I hear you say, what about all your users?

Yeah, what about them?  If we are driving BYOD, consumerisation, mobility, partner access and such, how is my security posture best served?

Should I treat everyone as trustedand then create a complex set of security structures that I don't have the resources or knowledge to maintain?

I don't think so.

For too long the security industry has talked and sold TIN; 

“What you need are newer, faster boxes made by me, because those ones you bought last year from that other vendor, just don't cut it anymore."

And who could forget that tired mantra of “defence in depth”.  Who knows what this means apart from more complexity?

Hide in the Clouds

I recently read that the CIA now relies on public cloud for many of their infrastructure needs. Apparently existing in a data centre of several hundred thousand servers with various customers and use cases, helps drive an air of obscurity.  

You coexist with many other workloads. Your workloads get moved around as part of how these cloud providers operate their environments.  You don't know where your boxes are, and given the scale, your prospective hackers don't either. 

Would it not drive better security outcomes if we treat everyone as untrusted? Access to any information resource is treated the same as if that person were at home, at a café, or on their mobile device. 

Just because you work in an office shouldn't mean a free pass in terms of security.

This reduces the ever present danger of trying to manage a growing plethora of devices and connections, and reduces your surface area substantially. 

Then we would consider security in everything we do because we don't have that preconceived notion that some firewall will protect us and our data?  Relying on just technology is no longer a defense.

Would our applications be designed in a manner that truly supports consumption that is secured innately? If you don’t have the “lazy” corporate style network, this becomes a key design consideration.

People - the most reliable attack vector

So time to get rid of what I call the "marshmallow security model”. It has a crusty, semi-solid perimeter that offers some protection, but as soon as the blue network cable is plugged in, you are trusted and the soft, mushy free for all center is now available to all and sundry.

This lazy security approach in my view ignores the real issue, and that is people. People and their behavior created the "I love you" virus outcomes. Phishing attacks are on the rise because it’s easier to attack the person, than the technology.

So let’s abstract the people from the data, collapse the perimeter, and focus on data. SOEs are dead. Let them be. Stop trying to manage the perimeter. You have already lost.

No matter what barriers we create in the name of security, they are broken down or subverted by people. Why? Because the security measures don't assist staff to get their job done and if it doesn't help, then it’s a hindrance and will be undermined.

Yes, yes, I can hear all the security bods saying that you should think about "defense in depth", isolating your data, encryption, blah, blah, blah. Is this what we think about when we subscribe to that new service?

Is this what your HR group thinks about (or even cares about) when they consume a cloud-based recruitment service?

That premise requires IT to control all aspects of data access and storage layers.  And we don't. How many of you have tried to control USB keys and drives? Successful anyone?

Now we get to asking why we still haven't reconciled security consumption, with the rest of our consumption services. Where are they?

Why isn't the security conversation more about protecting what's REALLY important, and at source, rather than the perimeter?

Why is it that when raising these very issues with security experts and vendors, it all leads to more tin?

Ask yourself “Have I made my organization more secure?” Or “Have I made my data more secure?” And then how would you measure that anyway?

My ten point plan to disrupt security

1. Push back on more boxes and tin. The world doesn't need more complexity, and you shouldn't be paying for it.
2. Know what’s important to you and your organisation. The rest is irrelevant. Focus on that, which is usually one to two percent of your data.
3. Start consuming good (ie reputable, large scale, public) cloud services, and start obscuring (hiding) your environment. There are no longer any excuses.
4. Design and build like the cloud guys do. If you have on-prem and it needs to stay, don’t be predictable, don’t fall for the traditional layer and layer of firewalls and tin. Remember your people don’t need to traverse all this infrastructure to do damage.
5. Go BYOD and mobile where you can.  This will reduce the need to manage things that are no longer important or relevant, like operating systems and such.
6. Virtualise your important application environments. Once virtualised they can be delivered securely and easily to anyone, anywhere, any time.
7. Seek awareness of your security perimeter and its behaviour. Test it! Think and behave insecurely and find gaps that need filling.
8. Those file servers need to die. One main reason for the traditional corporate network is to manage and provide access to file servers.  There are alternatives, find them, use them, kill those file servers.
9. Encrypt end to end. Just because you use your own machine or a cloud, doesn't mean you can't encrypt what you do (data & connectivity) end to end.  Use this ability as criteria for your shortlist of cloud providers.
10. Be strong. You will face all the doubters and haters. Ask yourself about how you behave when not at the office and how you can translate that as value to your organisation. You will be surprised how trusting we are when we are not at the office, where we feel superficially secure. 

We all face pressure to do more with less and to do so securely.  We, as IT practitioners, seem to have mastered the do more with less, now it's time to do it simply and securely. If we all start to disrupt, we can drive the change we want.

Start hiding in the clouds people.