Security = Friction.
Security = Friction
The more secure you make something, the greater the friction, right?
Security is always at the expense of cadence, innovation and agility. The art is in finding a balance; finding a point at which you operate within risk appetite whilst continuing to support business objectives and empowering consumers to innovate and scale at pace.
Proportionate Security
You would not leave your front door unlocked when you go out, or your car door open with your keys in the ignition when you pop to the shop. Such conventions are commonplace as the overhead of the physical act of locking a door is considered proportionate against the likelihood and impact of not doing so.
Some home owners may even consider a secondary, more substantial, lock and perhaps the addition of external cameras based on their own personal experiences or those of their neighbours, local crime rate, or simply the value of goods which they are trying to protect. When personally deciding what constitutes appropriate home security, we evaluate the friction of implementing such controls. How much does it cost? How easy is it to install and maintain? Is it a pain to activate each time I go out?
We all perform a subconscious risk assessment, considering the trade-off between friction (cost, ease of implementation & use) and the likelihood and impact of not doing so (could someone steal my new bike) :)
Interestingly, 20 years ago few of us would have considered CCTV as a viable option to secure our home. However, a growing number of us have now purchased internet-connected cameras and smart doorbells. Why? Because the friction of purchase, installation and operation has significantly reduced in recent years (think Google Nest Cam or Ring doorbells.... easy!)
Control vs. Agility
The security of your business assets is crucial. Security is (or should be) everywhere, embedded throughout your organisations, not just in the form of tangible controls, but also culturally.
So, if security is everywhere, it is therefore imperative we understand and consider the impact of the security decisions, governance processes and frameworks we adopt and impose on wider business objectives. We should actively seek to embrace architectures, techniques, processes and behaviours that promote safe and secure operation (within risk appetite) whilst remaining mindful of the resulting and detrimental impact on business innovation, agility and cadence.
领英推荐
How do Security secure whilst finding a way to get out of the way? ...tricky stuff!
So, what security is enough security?
Firstly. There is unfortunately no right answer to this conundrum. It's all too easy to get carried away, imposing excessive security process and governance because you can!
For each step in the security, risk and compliance journey, we need to revalidate its remit and ask ourselves if it continues to serve the very purpose it was implemented. Does it actively result in risk reduction. Does it? Really? Is the resulting friction proportionate to the net security value realised?
Actively avoid process for process sake and large forums with too many voices. Is there a better way? Can your security processes be streamlined? Security processes (like all processes) should be revisited and revalidated regularly.
What worked once...?
Things change. It perhaps once made sense for all firewall changes to be handled by a single, central security team for review, approval and actioning. However, moving to Cloud and more decoupled microservice-based containerised workloads, adopting more zero-trust principles, this soon becomes untenable. Now, rather than just requiring firewall rules to support flows traversing large flat network zones, in a zero-trust topology, every flow requires a supporting policy. This exponential increase should make us think differently about how we assure this previously centralised control.
Human-Free Deployment
The easiest way for Security to get out of the way is to remove Security "approvers" (humans) from the infrastructure and application deployment process. Focus on automation and automated policy enforcement.
Cloud, DevOps and Infrastructure-as-Code affords the opportunity to build automated deployment pipelines where security compliance configuration is monitored and enforced, all without human intervention. Security-as-code!
Build a continuous compliance framework that defines, monitors and enforces "good" configuration, whilst empowering your application/engineering teams to feed and water their own infrastructure stack. You don't need to sign off on every storage bucket built, or review and manually approve all firewall rules. What you need is a robust compliance framework that only permits compliant configuration. Ultimately, the net result is the same - storage, network and compute resources configured exactly how you want, the difference is - you got out of the way and encourage innovation and cadence at scale.
Security will also result in friction, one way or the other, but we should actively seek to reduce this where we can.
See associated Blog post here.
Experienced CISO, Keynote Speaker and Advisor for modern Cyber Security
2 年Ryan this a fantastic read, thanks! I tell this every day and I call it the clash of security beliefs (from on-prem CISO to Cloud Security). And I totally agree with you, cloud (especially the non-human deployment and IaC) allow a different and much faster way of applying security. I've set up many "DevSecOps" teams (knowing that this is just a buzz word) where we embedded security everywhere from threat modelling up to bug bounty programs. The main shift I did was trust instead of control. So we sat together with the Engineering/Dev teams + PO and worked out a path to running a public bug bounty. They then found their own way and acceptable controls that I as a CISO sponsored. This mostly was SAST, DAST, IaC scanning, cloud security, ... So everything I would have required them to do. But they did chose different tools than I thought (more dev friendly).
Information Security Professional | Leadership | Business Continuity Enthusiast
2 年My first impression about the title, Friction indicates that security becomes a show-stopper to business, an idea of the past. Yet, i still miss the idea of removing human reviewer or approver from the picture of automation.Automating the deployment of the control and its related component through life governance is crucial for success, like you say, yet, it is talking about 80% of the whole process. Reviewer or approver is the remaining 20%, to complete the process, is not it. The automation is definitely speed it up. That is my view, I may be wrong ya ..
Senior Enterprise Architect at Legal & General
2 年Good read Ryan thanks for sharing
????Follow me for Key Management, HSM, PKI, PQC & all things crypto.
2 年Agreed, customer-defined security/compliance policies go a long way towards reducing friction. Security teams can configure these and then delegate usage to developers without getting in the way.
Enterprise Security Architect
2 年Nice article. I actually think that security needs to be considered a functional requirement of the system. Once this becomes the case we see the true value security creates. Take for example data protection in a SaaS platform, we choose to place enterprise assets in a shared platform for some kind of advantage it offers over an on prem system, but we must maintain a competitive advantage over our competitors by ensuring the data is not compromised. Automating the deployment of the control and its through life governance is crucial for success, like you say, but think of security as an enterprise enabler and should be visible, actively discussed and continually improved.