We choose to go to the moon. We choose to go to the moon in this decade and do the other things, not because they are easy, but because they are hard, because that goal will serve to organize and measure the best of our energies and skills, because that challenge is one that we are willing to accept, one we are unwilling to postpone, and one which we intend to win, and the others, too. — President John F. Kennedy, September 12, 1962
Coming out of the 2016 RSA Conference, it is clear we have hit a watershed moment in the history of the IT industry. After several years of hundreds of billions of dollars invested across a range of security technologies, it is self-evident that cyber presents a huge paradox to organizations of all types. The growth of cloud, mobile, and agile computing capabilities has delivered a golden renaissance of innovation.
• The iPhone is the digital equivalent of Hitchhikers Guide to the Galaxy
• Amazon Web Services is eating the infrastructure world like a black hole
• Today is a software company, embracing agile development to support business initiatives
In the security space, though, we have nearly conceded defeat. People are going around saying: “assume not that you will not be hacked, but that you will be hacked.” How uplifting!
It is time for things to change.
Forty-three years ago, when President Kennedy called for a man on the moon, many were skeptical. Today, people are equally skeptical about our ability to re-establish control of our own computing systems.
What happens if this was the time when things changed? What happens if we committed to leveling the playing field between attackers and defenders? What happens if we take a clean piece of paper to how we think about restoring trust to our computing—where security enables innovation rather than stifles it?
What happens if we acknowledge that no one vendor has the entire solution?
The vendor part of the security industry—yes, I am calling myself out—has failed its customers. Einstein allegedly defined insanity as “doing the same thing over and over again and expecting different results.”
Companies claim to innovate, but all they do is present different versions of old models. A firewall that runs on a software platform is still a firewall. If your security is tied to infrastructure, you are leashed to a world where you have to own the infrastructure—sorry AWS, Azure—and more onerously, need to upgrade the infrastructure to upgrade your security.
I would never claim that my company has the answer for cybersecurity. But we represent a movement that unshackles security from the past to make it responsive to the dynamic, distributed, heterogeneous, and hybrid world into which we are moving.
Here are my 7 points to a cybersecurity moonshot program:
1. Turn everything inside out. We take back our computing from the inside out, from the applications out and not the infrastructure in. In the cyber world, the perimeter attacker only has to be right once and the defender has to slip once. Why not shift the logic so the attacker only has to make one mistake and the defender will catch it?
2. Trust nothing. Start with the premise that everything is untrusted and establish trusted relationships between users and applications in a granular and controlled way. This is the heart of a whitelist model.
3. Build tighter and tighter segmentation around smaller and smaller attack surfaces. The biggest challenge to granular segmentation has been complex and fragile networks, firewall rules, and outdated application-entitlement strategies. The smaller the surface, the less damage. The tighter the segmentation, the fewer false positives.
4. Make security part of the application life cycle. Today security is most frequently added after applications are built. What happens if developers are equal participants in security? Eliminate the false boundaries among application, infrastructure, and security teams. From a security perspective, all three groups must work hand in glove.
5. Decouple and automate. Infrastructure security has enormous benefits in most security approaches but it comes with two distinct disadvantages: what happens when you don’t own the infrastructure (e.g., AWS), and what happens when you do not want to upgrade your infrastructure to keep up with your security needs. Moreover, security that requires detailed oversight and management of every command by human middleware is bound to fail. Computers (and a lot of math) were instrumental to the moonshot program. Algorithms and machine learning will play a role in our cyber future.
6. Manage both sides of the equation: applications and clients. Today people see end-point and infrastructure security as two separate issues. Through Adaptive User Segmentation, it is possible to fuse these two areas and make data center computing more secure. Do not create gaps in protection.
7. Make security part of the business, not just IT. A lot of pundits talk about Board of Director oversight of IT security. Having been a board member several times in my career, I agree it is a key area of risk that boards must monitor. But long before Board oversight of cyber needs to occur, management teams must make it a priority. Where is it baked into the reward system of an executive team? Which of the CEO’s direct reports owns cyber end-to-end for a business?
Regaining control of the cyber landscape will not be easy. There is no magic bullet. But a steady plan that both builds on the best practices of today and anticipates and takes action for the world we are moving into presents the last best hope for creating trust again in IT.