Attackers always have the upper hand on the information security battlefield. They can test their attacks over and over just as Luke Skywalker and the Rebel Alliance did with the first Death Star. Although the Death Star practiced defense in depth, its own complexity (and a single fatal flaw) brought about its downfall.
IT security is no different. We operate complex infrastructure with a myriad of entrances and exits that allow users to do their work. Application developers and system administrators must keep pace with attackers to prevent the next breach.
Defense becomes much easier when people, process and technology work in tandem. That’s easier said than done:
- People will still click on phishing emails, no matter how much training they receive.
- Process will always be circumvented when it stands between an employee and a solution for a customer.
- Technology will always have vulnerabilities.
For many organizations, a new strategy is needed to wrestle with this problem: make security invisible. That sounds great on paper, but what does it mean in practice?
Humans will inevitably make mistakes. George Bernard Shaw once said: “Success does not consist in never making mistakes but in never making the same one a second time.” We should all learn from our mistakes, but even that first one could lead to a security incident. If a company of 500 people allows each one to make one security-related mistake, it could be very costly.
What if there was a way to prevent someone from putting themselves in a position to make a mistake?
In many companies, simply saying the word “process” will clear out a room. Organizations use process to reduce risk and variance. Excessive processes create burden for employees and they eventually find a way around them. This always reminds me of Dr. Malcolm’s famous line in Jurassic Park: “Life, uh, finds a way.”
It’s no secret that we depend upon technology during every moment of our modern lives. Technology gives us flexibility in our life, but it is also the most rigid weapon we have in our arsenal for security. I’m not asserting that being rigid is equal to being secure, but being rigid means that one plus one always equals two. Our technology does what it is programmed to do — no more and no less.
We can enforce processes with technology and prevent the users from being in a position to make a mistake. The process burden does not disappear, but it becomes clearer and enforceable. How can we reduce the burden but keep the process? It’s called secure-by-default.
More technology embraces the secure-by-default strategy now than ever before. Our mobile phones often have encryption enabled by default, we rely on more factors for authentication, and the Chrome web browser puts each tab into its own sandbox. These security layers protect users from known and unknown threats without their knowledge.
Application developers need a way to deploy applications securely, but they are often not security experts. Technology must provide a way for an application developer to hand off their software to a system and have that system operate the software in a secure way.
Virtualization technologies, especially containers, are surrounded by other technologies that provide strong security controls by default. Linux systems automatically apply capability restrictions, namespace isolation and mandatory access controls to these virtualized instances. These controls deliver security benefits right from the start and they allow for customization at any time.
In summary, technology works best when it prevents people from ever being in a position to make a mistake. The most successful technology enforces processes without placing a burden on the people that use it. I’m always eager to find technology that goes beyond this and decreases risk while enabling users to be more productive.
Find out more about how to protect your brand with the security of LinuxONE.