The Rising Tide and the Case for Security Optimism
Continuing with the theme of raising the baseline by reducing the cost of control we can see the next logical progression is that the faster you do this the better off you will be. The good news is many service and product vendors - not just the major cloud providers - are converging to a clearer alignment of security with their business models. Their security increases over time and so the quicker you can catch and stay on this rising tide the better. Hence, speed of adoption of features/upgrades may become the most important security metric.
To be clear, I’m not delusional, security is not in all cases getting better as fast as we need and some vendor business models are clearly ship first then secure later. But I do think, overall, the tide is turning. Some vendors are better than others across security models, assurance, and features. Some are, perhaps most importantly, implementing those in ways that support developers and maintain as much backward compatibility as possible.
This is especially the case for cloud services where, at least, the hyper-scale providers are constantly adding new and better security features. This is not just because of customer demand but also because of the global visibility they have on attacks on themselves and their customer base. Additionally, the most aggressive demand signals they get for security capabilities come from the most threatened and security attuned customers across the defense industrial base, financial sector, pharmaceutical industry, and many others. If you’re one of the larger proportion of customers that don't have the resources to drive security then you just need to sit back and take every upgrade you reasonably can and let the rising tide lift you up. As a security community we've often talked about the need for a digital immune system, this might be the beginnings of that. If wired in the right way, the same cycle goes for product vendors, open source projects, SaaS services and more.
However, you should be rightly cynical when you see phrases like: "you just need to sit back and take the upgrades". The problem is most organizations don’t take advantage of the new features anywhere near as fast as they should because of the time, effort and operating risk to do the upgrades. This is going to need more work on all sides. Organizations need to get better at allocating time and budget for preventative maintenance to keep environments up to date - to adopt those new security (and possibly other) features. But, more importantly, product and service vendors need to get better at introducing features in ways that are easy to deploy and come with the right tools/processes to manage the upgrade. There will also need to be a lot more collaboration on architectural refits to reduce the intrinsic dependencies that make upgrades harder. I suspect most of you have had to deal with the painful pattern of switching on a security feature, that then breaks a protocol that is needed to connect to another critical system which in turn can't be upgraded because to do so would then need another dependency to be upgraded. These issues in our legacy environments are going to take some real digging out of but it's going to be necessary work.
If we believe things are going to keep getting better and our speed of adopting those improvements is core to what we do then we need some new foundational tenets for a better future security state:
Constant security upgrades. Vendors should constantly be adding new security capability (features and assurance) based on learning from attacker tools, techniques and procedures in their ecosystem and from customer demand.
Ambient control. Security capability should be ambient - on by default and non-interfering with other features except in transparent and manageable ways.
Field upgradable. Vendors should focus on making upgrades easy, or at least well supported, so customers can painlessly transition to take advantage of those capabilities.
Reciprocity. We are all someone’s vendor and we’re all, no matter what industry, a provider of technology services, software, and APIs to our customers. So introspect these tenets.
Speed is the truest security metric. The new primary role of a security organization is to make your environment amenable to slip-stream upgrades into it as fast as possible. The Board’s most significant risk metric could be the pace of environment upgrade. Find and eliminate stagnant systems.
These don’t just apply to security - the same argument could be said for other capabilities like reliability and performance. But, we have to be careful of the security and operating risk trade-offs of taking upgrades at the bleeding edge, so there’s an “efficient frontier” to be discovered for every organization.