security on command

Decentralize and provision security on-demand rather than on-command

casey pechan / 11.02.17

In Eastern Europe and the countries that used to belong to the Soviet Union, even after the collapse of their planning systems there has been persistent and widespread puzzlement that any society could aspire to prosperity without an overall plan. About two years after the breakup of the Soviet Union I was in discussion with a senior Russian official whose job it was to direct the production of bread in St. Petersburg. “Please understand that we are keen to move towards a market system”, he told me. “But we need to understand the fundamental details of how such a system works. Tell me, for example: who is in charge of the supply of bread to the population of London?” There was nothing naive about his question, because the answer (“nobody is in charge”), when one thinks carefully about it, is astonishingly hard to believe. Only in the industrialized West have we forgotten just how strange it is.
-Paul Seabright, “The Company of Strangers” (2004)

It goes against the grain to think that giving up control increases the power of a system, but again and again history teaches us that this is true. Whether we’re talking about planning an economy, a community, an IT infrastructure, or an algorithm, there are examples abound of how detailed planning and control lose out to creating rules and structures that allow a solution to grow.

Top-down economies, from those driven by communist ideology to those driven by dictatorial fiat, (think the USSR or more recently, Venezuela) have all collapsed in time due to their overzealous control. Overly planned and controlled communities can end up constraining, harming, or imbuing their members with a sense of incomprehensible ennui. Even at the level of the algorithm, the rise of machine learning as a technique shows how setting criteria and allowing an evolving answer to improve often beats structured attempts at designing a solution.

In the world of IT, the increasing importance of speed of development and deployment has led to cloud computing, shadow IT, and an explosion in the number of systems that support this innovation. This proliferation of systems, along with the complexity of their relationships, has disrupted centralized control in favor of organic growth. And those standing in the way of change are removed, or the business itself is outcompeted. The efforts of computer security professionals suffer from the same trends, and we must get out ahead of them and intentionally relinquish a level of centralized control – and instead insert ourselves into the cycle of innovation – to thrive.

There’s a breaking point in the complexity and numeracy of systems beyond which centralized control becomes inefficient, impractical, and then impossible. Think of the Soviet Union’s puzzlement when it came to the UK’s ease in having an abundance of bread available in bakeries, grocery stores, and restaurants. The lack of regulation allowed bread to become commonplace through several outlets, rather than regulated through a tightly controlled (and slowed down) funnel.

Security and compliance is typically a relatively small function within an organization, and even getting a limited number of systems and actors to be relatively secure was a challenge in the past . As the number of systems explodes, centrally managing security becomes even more hopeless and impossible than before. Instead we need to turn to security as a service, and as an environmental requirement whose lack will cause rejection by the environment. Security controls must be easily included or leveraged on-demand rather than on-command.

In creating a security platform for modern infrastructures, CloudPassage has designed a system that decentralizes and removes friction from the provision of security. It’s feather-light on workloads to avoid affecting performance. It leverages the cloud to scale processing and management invisibly and effortlessly. It allows automatic provisioning of controls via code, letting that definition reside in the same repositories that track the code and the definition of the infrastructure needed for the workload. Properly implemented, it makes security easy, fast, scalable, and transparent, so that it becomes almost as simple as adding a library. Imagine that you could add security to your application as easily as you can add a library to facilitate http requests.  “>>> import requests”. “>>> import security”.

In a modern environment, controls that validate and monitor for proper security shouldn’t be a burden, nor should they be imposed manually or added after the fact by the security team. Using CloudPassage, checks are built into the CI/CD pipeline, checks that make sure changes don’t break the codebase, and simply warn, alert, or fail when builds get merged. And while the code runs, controls continue to provide telemetry on the workload without slowing it down. With this architecture, security scales naturally and without any extra effort along with the workloads, and while information about security is still centralized for reporting, auditing, and monitoring, implementation of security is decentralized and organic – a service available easily and on demand.

Who wants the job of controlling the bread supply? It’s a tricky balance – to ensure supply, distribution, and quality. And it turns out that as even simple systems grow, it is far more effective to set rules than to control the whole process. In the end, the latter becomes effectively impossible. Who’s in charge today of the supply of security to your applications? What kinds of challenges do they have, and how are you addressing them? And what kind of solution are you looking for?