FEATURE
Ensuring resilience
MIKE LLOYD, CTO, REDSEAL ,
outlines why, when it comes to
resilience, it’s crucial to have the
basics covered.
When thinking about risks to data
centres, I’m reminded of an old bank
robber story – when asked why he
robbed banks, he replied ‘because that’s
where the money is’. It’s always good to
think like an attacker.
The people who build applications
inside data centres may appreciate
the benefits of security, but they tend
to think about it narrowly. They focus
on how to secure the aspect they are
familiar with – if they understand users,
they think a lot about single sign on and
federated identity, which is great, but
it’s not the whole of security.
Likewise, the people most familiar
with databases tend to think about the
problem in database terms – row-level
and column-level access controls, etc.
All this siloed thinking, though, tends
to make a data centre with a scatter of
security ideas sprinkled around it, but no
coherent overall design.
Imagine a corporate building built in this
haphazard way, where some people lock
their file cabinets, but others don’t, some
labs have security and some don’t, and
all the while, the building has no badge
50
Narrow thinking
about one control
or one security
technology won’t
work – the attackers
will just find a path
in that evades your
elaborate control.
readers at the edge, because nobody
was thinking about the big picture.
Security failures are almost always
about gaps. As the crypto nerds have
found, the security arms race really
isn’t about evil genius hackers breaking
yesterday’s cipher math, forcing us up
to a new mathematical level. Instead,
real database breaches are because
someone exposed their AWS bucket to
the Internet, when it was only supposed
to be reachable internally. Security, or
the lack of it, is all about defensive gaps.
This means the only viable defence is
to think about the system as a whole,
identify gaps and prioritise them.
Narrow thinking about one control or
one security technology won’t work –
the attackers will just find a path in that
evades your elaborate control. Breadth
is far more important than depth. It’s
far more important to check that every
basic control has been implemented
consistently, than to get into depths of
the countermeasure of the month.
In a sense, this is good news – if you
need to increase the defensive posture
of a data centre, your best next step is
almost certain to be a simple one, where
some of the Centre for Internet Security
(CIS) Top 20 basic controls are not in
place or not being used properly.
The hard part is consistency – humans
are not that good at being thorough and
if you only lock 99% of the doors, the
bad guys will find that other 1% through
simple persistence.
Attackers use automation to search out
any corner of your data centre that is
weak and so the defenders need to use
automation too, to find the defensive
gaps before they are exploited.
This means looking at the whole
environment, end to end and checking the
basics – is the inventory complete? Are
the access controls enforced consistently?
Do you have a pre-set plan to shut down
or isolate any asset that proves to be
compromised? Being resilient in the
face of cyberattacks is about doing the
basics well. u
Issue 17
|
www.intelligentciso.com