“We are searching for some kind of harmony between two intangibles: a form we have not yet designed and a context which we cannot properly describe.”
— Christopher Alexander
There are times when we all experience a sudden sense of discontinuity; a gnawing feeling arises within us that we need to do something differently from the way we’ve always done it before. The old ways, while not without value, seem to lack something — perhaps some ineffable quality — that we need in order to handle the new situation upon us more effectively.
Security may be at that inflection point right now. Threats and compulsions are increasing; theories and “solutions” are rushing in from every direction as the enterprise struggles, caught in multiple maelstroms, including security-related ones. The potential threats of disruption and damage are severe enough that an enterprise would be unwise to simply continue down a path of incremental improvements based on old tried-and-trusted methods.
Threats Are Spiking
In the last couple of years, we have witnessed visible attacks on “critical infrastructure,” a category of assets with a special focus by the US government. The ransomware attack on Colonial Pipeline and the attempted poisoning at a water treatment plant in Florida are just a couple of examples. Some of these kinds of attacks have involved foreign entities and nation-state players, while others have involved cybercriminals with a profit motive. But the lines appear to be blurring, as bad actors of different shapes and sizes collaborate in mutually beneficial arrangements.
And it is not just attacks from the outside that are cause for concern. The 2007 cinematic thriller Breach, based on the true story of Robert Hanssen, an FBI agent convicted of spying, offers a good example of the ultimate insider attack. Information security professionals have always articulated concerns about attacks from the inside, but with the clear emergence of foreign-state bad actors who are motivated to cause damage to industries and enterprises, it may be wise to accord a higher degree of probability to insider attacks and thus protect the inside from attacks from the inside.
On top of all that, the complexity, diversity, and volume of threats are further increased with all the new devices being added to the enterprise network with the adoption of recent hybrid- and work-from-home models, and the resulting exposure from home-based networks and the Internet of Things (IoT).
Security Solutions Continue to Surge
It is not that there are no solutions to address many of these threats, especially since some of the most devastating ones do not even require advanced technology — or talent. For example, the Colonial Pipeline attack was possible simply due to an old vestigial VPN account that should have been deprovisioned, and because there was no multifactor authentication requirement for access via this VPN.
The overarching issue is that enterprises have myriad ways to address security issues up and down the stack, and sideways, too. Many products come with their own authentication and authorization mechanisms and protocols; for example, a business process management platform may require a separate authentication method that is different from the enterprise standard. Moreover, routers and other network devices have capabilities that allow network segmentation; encryption can be done at different layers across applications, databases, networks, and integration channels; each system can have its own logging and monitoring capabilities; and so on. And there are no signs of slowdown in the surge of new solutions arriving in the form of platforms, such as security information and event management, components and protocols (e.g., OpenID Connect), and embedded security capabilities in the cloud and within business-focused products. The diversity of solutions across the enterprise often makes it harder rather than easier to create an efficient, cohesive, and coherent security implementation that accomplishes what is needed: effective protection that is not an impediment to the business.
Architecture’s Time Has Come
Today’s enterprise is caught in the middle of the spike in demand and the continuing surge in solutions that are everywhere, yet nowhere because of discombobulation resulting from lack of coherence. This kind of complexity and sprawl in the security landscape is the raison d’être for architecture, which began its ascent in the enterprise starting in the early 1990s, when the enterprise was transformed by the then-new technologies of local area networks and personal computers and in the ways of distributing once-monolithic systems into patterns of clients and servers.
Thus, information security is at an inflection point that has crossed a threshold into a degree of complexity and multidimensionality that needs the mindset and techniques of architects who are skilled at weaving the parts — the security parts and pieces strewn across the landscape — into a cohesive whole: an architecture.
There are many architectural choices to be made. Should encryption be done in the payload or in the network? Can this be a one-size-fits-all approach, or does it need to be visited on a case-by-case basis, or a combination of both? Is it necessary to get old legacy applications to play with the newer OAuth authorization protocols to enable fine-grained access control, or should they be accepted as exceptions to the rule, with assurance that the tail will not be used by attackers to wag the dog? Is it acceptable to rely on network segmentation to isolate IoT devices that are known to have potential vulnerabilities, or should some IoT devices be disallowed altogether? Can we rely on machine learning algorithms to take care of certain kinds of intrusions, trusting that they will triage appropriately and loop in human decision makers as needed, using enterprise workflows across legal, compliance, and business boundaries?
These are interesting — and challenging — times that we live in. While vendors, products, technologies, and platforms provide the basis for solutions, enterprise information security solutions need to be architected well. Do you have the kind of architects you need to accomplish this? Can they deal not only with the technical aspects of security, but balance that against the needs of the business to operate, innovate, and transform to meet the challenges of the day? Tell me what you think. Post your comments at the link below, or send email to email@example.com.