I see the disconnection between the user and what is really going on under the hood in the same way we see people on the freeway disconnected from the chaos just a few inches away. I think the way to break the "hamster wheel of pain" is to stop treating risk as a model that all things form into. Rather we need to factor risk as a "driver" in a machine we'll call the Automated Processing Environment (APE).
The APE is essentially stupid slow and constantly vulnerable to attack from smaller, faster, and more agile life forms. The ape isn't simply a collection of hardware, software and security controls. It is physical, human, and logical. I believe that we have to move on from the SDLC, CIA, and all models that have been crafted before this time because the complexity of attacks that we see in our environments simply can not be captured with current thinking in a way that helps us move forward.
If we shift the paradigm and factor in that, at the most basic level, we have human, physical, and logical assets all interacting with one another in a constant state of flux it becomes next to impossible to authentically predict, or better yet, assess the risk posture of the APE. The piece meal approach to providing a “cure” to the information security challenges simply will not make muster any more. We must address all components at once. Why? If all pieces of the APE triad (Human, Physical, or Logical) are not addressed at the same time, and with the same vigor, than the triad will collapse, and once again become vulnerable from the segment that was not equally bolstered. I've talked about transformation before in previous posts but I think that trying to improve one section at a time will never work because we will always be chasing the "tail of the dragon".
The same is true for mitigating risk to data. All too often I have seen huge efforts to implement technical solutions that do yield "a result" but that result is never fully understood. Manufacturers love to show dashboards showing all the security data that has been collected but in the end the dashboard serves no tangible purpose to understanding what is going on in the APE.
To break the cycle we must change the way business is done. We must become more closed and bring more sensitive data closer to home. This could be done by "purging" all sensitive data from systems that are in the wild and bring the data literally inside the walls of the Data Center. We need to move to a use of both the client/server and the more feudal approach of thin client architecture that pulls data processing into centrally managed activities in order to strike a risk based cost balanced approach. An awareness of who, what, where, and when sensitive data is being processed will help reduce the threat of loss of the data into the wild. Just like a diamond on display in a museum is protected but shared through the exhibition.
But by far the greatest weakness in the APE triad is the human factor. Behaviors must be modified and addressed immediately upon discovery. When I worked the flight line I saw folks sent home immediately after any kind of accident. One case sticks out in my mind at SFO where the tug driver ran a container into the side of an aircraft. He immediately was sent for a drug test and ordered to take a week without pay. Hence I would say the level of intensity and focus during a turn around was extreme. The danger was present and the risks real. That fear does not exist in the mind of the average user but should in those APE users that roam in a hostile world.
To be truly transparent means not only to report the control failures but to have visibility into any area of the enterprise allowing issues to be fully and freely expressed before they manifest themselves into security events.
No comments:
Post a Comment