Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

An Occam’s Razor for Security: Less is More

“It’s not the daily increase but daily decrease. Hack away at the unessential.”–Bruce Lee

The rapid growth of innovation in cybersecurity technologies has presented a nearly endless range of new security offerings to address vulnerabilities in our computing environment. But what happens if more is not better?

“It’s not the daily increase but daily decrease. Hack away at the unessential.”–Bruce Lee

The rapid growth of innovation in cybersecurity technologies has presented a nearly endless range of new security offerings to address vulnerabilities in our computing environment. But what happens if more is not better?

In the data center and public cloud infrastructure world, the layering of technology at the perimeter—sometimes called defense in depth—has a followed a progression from the perimeter firewall to IDS/IPS to APT technologies, just to name a few waves of innovation. While all are important building blocks in protecting the data center edge, an increasing amount of attacks come from the inside out, not the outside in. Human error, malware, and hackers have presented a growing recognition that more focus is needed on the inside of the data center.

Take the diagram below: can you find the offending server? Would perimeter security technology capture an attempted port scan within the data center interior?

Map of Port Scan

So we should put more technology inside, right? Maybe not.

One of the key security insights the past decade has shown is that adding more technology—particularly adding more layers of infrastructure technology inside the data center—may actually create more harm than good. To wit, if you spoke to any CISOs at the recent RSA conference (warning: tongue-in-cheek comment ahead) they can feel as much under siege from new vendors as from bad guys.

Organizations already have a large amount of infrastructure and security technology to manage. Infrastructure technologies like firewalls create both complex traffic steering as well as “policy debt.” Ask a large business about its firewall rules: how many do you have? How often do you decommission out-of-date rules/policies? How do you feel about the things you do not know? Trust me, this is rarely a pleasant conversation.

If a company is at least 25 years old, its infrastructure is a little like Rome: it is built on layers of technology.

Advertisement. Scroll to continue reading.

Infrastructure History

Visiting Rome, you can see many examples of how one society builds on top of the previous (on your next trip, take a look at Bernini’s Elephant outside of the Hotel De Minerve near the Pantheon). If you look in a modern data center, you will see the multiple layers of technology co-existing as well.

One common refrain now is to virtualize your compute stack to better protect it (i.e., gain isolation and security from the hypervisor). There are a lot of good operational benefits to running software on virtual machines, but is rewriting and migrating your servers the right answer all of the time? What happens if you want to move from bare metal to containers and skip the virtualization step? In the past, applications had to fit the infrastructure—remember WinTel, when Intel created a chip and Microsoft figured out how to maximize its utilization.

Today it is the opposite, security and infrastructure vendors now have to chase applications, not the reverse. The computing world is too complex, too heterogeneous for today’s infrastructure-only security answers. I might use bare metal for transaction processing, VMs in the cloud for web servers, and containers for my development organization. How does security work across those environments?

Security technologies that force more—or lock in existing—infrastructure into the data center are increasingly untenable as computing evolves along with the notion of what a data center is (e.g., AWS, Azure, Google Compute).

It is time to look at ways to take advantage of what already exists, rather than always adding an additional layer of complexity that has to be managed. If I add more chokepoints, including virtual devices, I add more things to be managed and more traffic that requires steering. How does this help over-taxed infrastructure and security teams keep up?

What happens if I can activate security controls that are already available everywhere inside my data center and cloud, then marry them to my other security investments? By utilizing security technologies that are “invisible” to the infrastructure, I can reduce, rather than add to, IT and security’s burdens. What happens if my compute plant became an activated citizenry in its own protection?

Using security technologies that activate existing security controls rather than simply layer in new devices follows Occam’s Razor, the teachings of a 14th-century English logician who suggested entities should not be multiplied unnecessarily. Simply said, less is more.

Coming up next, An Occam’s Razor for Security Part 2…

Written By

Alan has been a successful entre­pre­neur, technology executive, and board member for over 25 years for a range of iconic companies, including DCVC-backed Illumio, Nicira (acquired by VMware), Airespace (acquired by Cisco), Cisco (where he led the $25 billion enterprise marketing and solutions orga­ni­za­tion), General Growth Properties, and IBM. He has authored over 200 articles, undertaken over 1,000 press interviews, and delivered over 100 keynotes at industry conferences. He received a bachelor’s degree in English from SUNY Buffalo, a master’s degree in English from the University of Vermont, a master’s degree in inter­na­tional affairs and economics from the American University School of Inter­na­tional Service, and an MBA from New York University.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

Cynet announced the appointment of Jason Magee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.