Security and privacy have been in the news again — especially around the Apple vs. FBI iPhone unlocking case — but also for large scale breaches such as Verizon. Security has legitimately been “an elephant in the room” throughout the history of computing – from physical punch card security (anyone remember dropping a card deck?) to today’s concerns about the security of IoT sensors (e.g., NEST thermostats).
Security has typically been treated as a “nice to have” feature, a necessary evil. Even the Internet, the network backbone for most systems today, was not designed with security as a primary requirement. Many attempts have been made to define holistic approaches to security – for example, the ISO/IEC developed a Security Architecture standard for Open Systems Interconnection in the late 1980s.
More recently, the practice of “Privacy and Security by Design” recommends that security be a design requirement for all IT products and services. There is considerable consensus that security integration is critical to success for both cloud computing and the emerging Internet of Things (IoT).
We have moved from security being ignored, or at best being an after-thought, to having security failures be front page news. This is partly due to the fact that systems are no longer just back office batch accounting applications – they are now business critical (as with Uber and shopping carts), safety critical (airplanes, driverless cars, nuclear plants), and time critical (trading, traffic control, etc.). Security requirements have also become more stringent as the sophistication of the attackers has increased.
What does the term “IT security” really mean? For me, it means any deviation from the intended use or behaviour of a system and/or its contents (software and data). This would include unauthorized access, observation, modification, disruption, use, or control.
Various “things” could be the targets of system security. Here’s a few possibilities:
- Data/Information – personal or non-personal, user- or system-generated, various formats;
- Assets – physical components (processors, storage, networks, devices, hosting sites), virtual components (software, data, policies, passwords, etc.), and even the design and documentation – all the configuration items of a CNDB;
- People – identifiable entities in the system (i.e., names), or users who can access the system;
- Processes – that direct the activities and interactions of the systems;
- Communications and interfaces – within a system, between systems, and among users via the system; and
- Locations – which represent the position of objects, may be fixed or moveable, and may be subject to sovereignty laws.
How can the “goals and dreams” of security experts be realized in all these areas, even if there is no such thing as security perfection? Security is never a black and white, all or nothing decision. The FBI vs. Apple case is an example of what could be a very gray area.
Two fundamental security strategies are a priori prevention and rapid detection/correction. A security management life cycle to support these strategies would include:
Information gathering
Nothing beats knowing your enemy. The more you know about threats, the better prepared you can be to respond to attacks. Nothing beats learning from other people’s experiences and, to the extent possible, collaborating on building defenses.
Knowing your own vulnerabilities is also critical. To assess where you have weaknesses also means knowing what you have – asset management and monitoring are keys. Also, change management for both hardware and software allows you to maintain your knowledge base.
Threat Intelligence Centres are emerging as the focal point for information gathering and sharing among communities of interest.
Prediction of events
If you can anticipate a security-related event, then you have more time and opportunity to prepare a response and hopefully avoid damage.
This doesn’t mean pure guesswork – it does mean using the knowledge that has been gathered. This could be as simple as tracking what is happening to other companies in your industry.
Predictions can be theoretical (knowing your own vulnerabilities, for example) or evidence-based (e.g., analyses of worldwide events). This is an area where you don’t need to re-invent the wheel – industry co-operation and managed security services can be a significant help.
Prevention of incidents
A prevention strategy aims to make security so difficult to overcome that it is not worth the time and effort to do so. Security by design, including the design of security monitoring and detection systems, is inherently a preventative approach.
One example of prevention is to encrypt your data so that it cannot be seen, both at rest and in motion. Even a decision to do thorough software testing for bugs is a form of prevention as it reduces the number of vulnerabilities.
Relying only on prevention techniques for all aspects of security is not sufficient, however. Passwords can be stolen, the Internet can be disrupted, and hackers are very innovative!
Threat detection
Active monitoring and rapid (ideally instantaneous!) detection of unauthorized events and anomalies can be used to provide enhanced security. This strategy assumes that incidents will occur despite all possible prevention efforts, and aims to catch the attack in progress or at least before significant damage occurs.
Knowing where to look is an important part of this strategy. Machine learning and big data analytics may become more and more critical in this area.
Protecting security-related services is also critical, since an attack on the security functions of a system can leave you “blind” to other events.
Response and restoration
Security events can be very similar to a physical disaster – they can easily become a business continuity problem if not contained and corrected.
Security event responses should be designed firstly to contain, and then to correct, the breach. Security by design can also be helpful in this area – developers should design their systems to include the mechanisms for ensuring trust and for containing the effects of failures, whether intentional or not.
Security – the five-year mission
Today’s emerging technologies – DevOps, cloud-based operations automation, agile self-service systems, and pervasive IoT – are all conspiring to make security more complex and more critical.
Security services must, over the next five years, be automated in much the same way as ITaaS (IT as a Service) is being automated with cloud computing.
We may not have reached the final frontier yet, but the security starship is already racing to the stars. Its five-year mission has to be to make systems in the emerging Digital World reliable, trustworthy, and tamper-proof.
This is what I think, but I’m sure there are other opinions. Please share them! And my apologies for the Star Trek analogy!