Getting to Perfect Security

Matthew Todd_Security Expert_VMware Radius

Matthew Todd, Principal Consultant, Full Scope Consulting LLC

It helps, sometimes, to think in terms of ideals. If I had all the time and money in the world, where would I go on vacation? If I had all the perfect ingredients and the perfect oven, what kind of pastry would I make? If I could craft a perfect security solution, what would it be? These are thoughts that wander around in my head. While it’s obviously hard to make anything perfect, considering the ideal does help us think about new things to try and paths to perfection — even if they’re unattainable.

Safeguards of the Past

The earliest versions of security for networked systems consisted of layers of protection around the most sensitive data. On the outside was the wild, untrusted internet.

Our web server sat between two firewalls. One protected it from the internet. The other isolated it from internal systems. This placed it in a network segment called the DMZ (from the military term “demilitarized zone,” a zone protected by treaty where any military action would be deemed an attack). The DMZ was also considered “untrusted,” even though it was under our company’s control. That’s because we knew that anyone could connect to our web server from the internet.

Behind the DMZ sat our precious servers, running our business applications and databases. This was the trusted network, where only good things could possibly happen. If we configured our firewalls right and watched our network interfaces carefully, we could keep the bad guys out. We figured we didn’t have to worry much about what was going on inside. Well, maybe we should have worried a little more about what was going on in there, but as far as priorities went, it was low.

The ideal security model for the earliest web sites consisted of carefully protected data sitting on a tightly controlled (and thoroughly failsafe) database, surrounded by increasingly less trusted layers of systems and networks — until you got to the internet.

Now What?

In the current world, of course, that’s not especially practical. Now data is distributed, and not just within our own on-premises network. It’s in the cloud, in other vendors’ clouds, on our clients’ smart devices, on our clients’ less-smart devices … nearly everywhere. This is the world we work in and will continue to work in for the foreseeable future.

Our business also cares about more than “traditional” data, things like:

  • Personally identifiable information (PII)
  • Protected health information (PHI)
  • Private legal matters
  • Intellectual property (IP)

Today, we have more network-connected systems and “things,” like home appliances, HVAC systems, medical devices and critical infrastructure systems. This allows us to both monitor and control these devices from far away, giving us greater business and personal flexibility. Remote control and monitoring introduce new risks, however. We security professionals now have to think of the states of controls and monitors as other types of data that can be known or altered, and must be protected.

The state of a system can be known (up or down) or altered (turned on or turned off). A water valve may be closed or opened. The flow rate of insulin to a patient may be observed or modified. This data may be accessed in a variety of ways via:

  • An application
  • A web service
  • An API
  • An administrative interface
  • A physical interface

That’s why all types of data must be appropriately protected, regardless of the means of accessing it. (Hereafter, when I refer to data, I mean all kinds, including control states.)

An Ideal Scenario

So what, then, should perfect enterprise security look like in our data-everywhere world? I propose the following as some of its elements:

Perfect Knowledge of Data

Fundamental to any security scheme is knowing what we are protecting. If we know all the data elements that the business uses at all times and the corresponding sensitivity and relevance to various business functions, we can protect it appropriately. We can also monitor it for proper use and performance, as well as track it for things like privacy requirements (e.g., GDPR and CCPA).

Perfect Knowledge of People and Roles

What are the various roles that must interact with the data we care about? What are their needs and how will those needs change over time? Think here of business teams, project teams, clients, partners, vendors, auditors, etc. If we know how roles map to data access requirements — and have ways to anticipate future roles and requirements — we can seamlessly provide appropriate levels of access, restricting where appropriate and setting guard rails where possible. Perfect knowledge also means we know when behavior falls outside of appropriate norms, and we can act accordingly.

Perfect Knowledge of the Business Environment

If we, the security team, understand and can predict the business environment, we can anticipate new data elements and corresponding requirements for protection, aligning with various organizations and roles. The business environment includes things such as:

  • Business goals
  • Available resources
  • Customer expectations
  • Audit requirements
  • Legal framework
  • Regulations

Data-Aware Interfaces

In an ideal world, we would no longer think in terms of limiting access to a network segment, an application, a system resource, or a microservice. Instead, our entire infrastructure would be data-aware, interacting with systems, networks and applications to control access to data, regardless of the person/application or means of access. Every connection between systems, networks, applications and even people would cross interfaces that know what data is being accessed and how it must be protected.

We’re Getting There

Modern security tools are approaching this ideal. Machine learning (ML) systems can:

  • Be educated about normal and approved application, system and control behavior.
  • Limit access based on those norms.
  • Alert based on anomalous behavior.

Currently, ML solutions work based on network connections between people, applications, resources, servers, etc. We must tell ML systems when to update their baselines if circumstances change (like new features are added or new resources become available). Interaction between knowledgeable and business-savvy security professionals and these intelligent systems will always be needed.

Over time, both will work together to approach the ideal: data-aware, secure, adaptable and flexible tools and environments that help the business prosper.

In the meantime, I’ll keep working towards that ideal combination of flaky and chewy. (Pastries!)