Getting to Perfect Security
It helps, sometimes, to think in terms of ideals. If I had all the time and money in the world, where would I go on vacation? If I had all the perfect ingredients and the perfect oven, what kind of pastry would I make? If I could craft a perfect security solution, what would it be? These are thoughts that wander around in my head. While it’s obviously hard to make anything perfect, considering the ideal does help us think about new things to try and paths to perfection — even if they’re currently unattainable.
Matthew Todd, Principal Consultant, Full Scope Consulting LLC
Safeguards of the Past
The earliest versions of security for networked systems consisted of layers of protection around the most sensitive data. On the outside was the wild, untrusted internet.
Our web server sat between two firewalls. One protected it from the internet. The other isolated it from internal systems in a network segment called the DMZ (from the military term “demilitarised zone,” a zone protected by treaty where any military action would be deemed an attack). The DMZ was also considered “untrusted,” even though it was under our company’s control. That’s because we knew that anyone could connect to our web server from the internet
Behind the DMZ sat our precious servers, running our business applications and databases. This was the trusted network, where only good things could possibly happen. If we configured our firewalls right and watched our network interfaces carefully, we could keep the bad guys out. We didn’t have to worry much about what was going on inside. Well, maybe we should have worried a little more about what was going on in there. But as far as priorities went, it was low.
The ideal security model for the earliest websites consisted of carefully protected data sitting on a tightly controlled (and thoroughly failsafe) database, surrounded by increasingly less trusted layers of systems and networks — until you got to the internet.
In the current world, of course, that’s not especially practical. Now data is distributed, and not just within our own on-premises network. It’s in the cloud, in other vendors’ clouds, on our clients’ smart devices, on our clients’ less-smart devices … nearly everywhere. This is the world we work in and will continue to work in for the foreseeable future.
Beyond “traditional” data, our business also cares about things like:
- Personally identifiable information (PII).
- Private legal matters, protected health information (PHI).
- Intellectual property (IP).
Today, we have more systems and “things” connected to the internet. IoT sensors monitor or control connected devices like home appliances, HVAC systems, medical devices and critical infrastructure systems.
We security professionals now have to think of controls and monitors as producing other types of data — data that can be known or altered.
The state of a system can be known (up or down) or altered (turned on or turned off). A water valve may be closed or opened. The flow rate of insulin to a patient may be observed or modified. This data may be accessed in a variety of ways via:
- An application.
- A web service.
- An API.
- An administrative interface.
- A physical interface.
That’s why all types of data must be appropriately protected, regardless of the means of accessing it. (Hereafter, when I refer to data, I mean all kinds, including control states.)
An Ideal Scenario
So what, then, should perfect enterprise security look like in our data-everywhere world? I propose the following as core elements:
Perfect Knowledge of Data
Fundamental to any security scheme is knowing what we are protecting. If we know all the data elements that the business uses at all times, and the corresponding sensitivity and relevance to various business functions, we can protect it appropriately. We can also monitor it for proper use and performance, as well as track it for things like privacy requirements (e.g., GDPR and CCPA).
Perfect Knowledge of People and Roles
What are the various roles that must interact with the data we care about? What are their needs and how will those needs change over time? Think here of business teams, project teams, clients, partners, vendors, auditors, etc. If we know how roles map to data access requirements — and have ways to anticipate future roles and requirements — we can seamlessly provide appropriate levels of access, restricting where appropriate and setting broad guardrails where possible. Perfect knowledge also means we know when behaviour falls outside of appropriate norms, and we can act accordingly.
Perfect Knowledge of the Business Environment
If we, the security team, understand and can predict the business environment, we can anticipate new data elements and corresponding requirements for protection, aligning with various organisations and roles. The business environment includes things such as:
- Business goals.
- Available resources.
- Customer expectations.
- Audit requirements.
- Legal framework.
In an ideal world, we would no longer think in terms of limiting access to a network segment, an application, a system resource or a microservice. Instead, our entire infrastructure would be data-aware, interacting with systems, networks and applications to control access to data, regardless of the person/application or means of access. Every connection between systems, networks, applications and even people would cross interfaces that know what data is being accessed and how it must be protected.
We’re Getting There
Modern security tools are approaching this ideal. Machine learning (ML) systems can:
- Be educated about normal and approved application, system and control behaviour.
- Limit access based on those norms.
- Alert based on anomalous behaviour.
Currently, ML solutions use network connections between people, applications, resources, servers, etc. We must tell ML systems when to update their baselines if circumstances change (like new features are added or new resources become available). However, interactions between knowledgeable and business-savvy security professionals and these intelligent systems will always be needed.
Over time, both will work together to approach the ideal: data-aware, secure, adaptable and flexible tools and environments that help the business prosper.
In the meantime, I’ll keep working towards that ideal combination of flaky and chewy. (Pastries!)