In 1950’s Harry Harlow at the University Wisconsin conducted a series of ground breaking experiments. The subjects were infant monkeys separated at birth from their mothers. Devoid of parenthood, put in a cage, the researchers watched as the infants were frightened by strange, loud sounds and objects. In the experiments, the two surrogate mothers were wire tubes each with a milk bottle. The twist was that one tube was wrapped with soft terry cloth. On hearing the frightening sounds, the baby monkey will run and hug the terry cloth surrogate. Leaving aside the ethics of the experiment, it illustrated our deep rooted desire for safety and nurturing.
Security (safety) is one of the defining elements of human behavior (see Behavioral Prism) and controls our deepest thoughts and actions. But in today’s modern world it has been greatly compromised. Why? Because no technology is perfect. Each leap of innovation advances our dependency on technology and paves the way for it to be misused. The truth is that as individuals our footprint has spread to unknown recesses of data centers, in multitude of connected devices and we have become passive victims. The threat against our privacy and data is real and is now.
The unsurprising truth is that organizations and consumers are target of data security attacks. According to a survey conducted by IDC, 23% of the organizations had fallen victim to ransomware, 22% to IoT breach and 23% to DDoS. Another survey found that the primary motivation for these attacks is to get monetary gains.
How do the malicious actors breach the security barriers ?. They employ one of the six attack vectors. An obvious one is to garner access to a device – physically and then use various tools to pry it open and access its content (example reading from an unencrypted storage hard drive). While on the other hand a large number of break-ins occur through remote access by reverse engineering user/admin passwords. Another very common technique is to use psychological pressures (social engineering) to force users expose their computer systems and personal data. Lastly, the most sophisticated attacks leverage the inherent engineering flaws in software and hardware designs. In many instances, several of these attack vectors are used in a cascade manner.
The security term can mean different things to different users. For web administrators it is protecting passwords, for banks it is ensuring un-compromised transactions, for health providers it is ensuring patient privacy and for IT security it means plugging and closing breaches.
However, we must step back and first take a high level view of what it means to secure anything. There are three end goals for any security task, these are ensuring PRIVACY, preventing THEFT and eliminating take over by ROGUE-WARE (bad software). I call these them as 3-Pillars of Data Security. All the different use cases fits within this model. Security ecosystem aims to serve one or more of these 3 overarching objectives.
3 – Pillars of Data Security
Massively Growing Business
What we have witnessed is the tremendous growth in products and services that offer to secure the data infrastructure (IT security). According to Gartner, IT security is a $120B business and growing steadily. The IT security is served by a broad ecosystem (not included in the chart below) which includes the providers of ASICs, Intellectual property, storage devices and physical security, which when all taken into account dramatically increases the overall security market size.
IT Security TAM and Growth
Security is more than simply securing IT infrastructure. It permeates into many different verticals and end products like phones, smart speakers, industrial controls, transportation machines and healthcare devices. Security needs will continues to rapidly advance as the magnitude of interconnected devices grow multi-fold. This multiplies the access windows that the attackers use to break-in.
It behooves us to put into context various terminologies used in the world of security and to create an integrated inter-relationship map. We start by defining Threat Landscape which is the path of attack,
- Cyber Security Threats – Remote threats launched using a network/internet connection.
- Physical Tampering – A traditional way of attack by breaking open areas where precious objects or data is kept. Example, stealing a hard drive from a portable computer.
- Digital Tampering – A more advanced version of Physical tampering where after getting access to a product, its security is bypassed through re-wiring or some other electronic means. Example, hacking a diagnostic port to take control of software running in a phone.
Next, we define the Infrastructure to be Protected , these include
- End points – devices that are used by consumers (phones, sensors, thermostats), industrial complexes (sensors, robots, controllers), transportation (cameras, traffic lights).
- Compute/Storage – Traditional IT enterprise and consumers including servers, computers and storage devices.
- Network – Broadband and cellular networks connecting homes, offices, endpoints and data centers to the outside world.
The security teams are structured to solve problems in one of three dimensions. I refer them as Types of Security Solutions
- Facility Security – Easiest to understand, physical guards or cameras to secure buildings perimeter. Now ecosystem is evolving with the deployment of drones. This is creating a big needs to store and interpret video feed from cameras.
- Information Security – Protecting data within the enterprises and data centers – Compute, Storage and Network
- Product Security – Ensuring that electronic devices have built-in security measures to prevent outside attackers from taking control. Product security strengthens IT security.
Around security is a wide ecosystem of Governance – standards, regulations and certifications. A further complexity in solving the security challenges comes from an ever increasing number of Use Cases across different operational Environments. An illustration of complexity would be credit card payment to a vending machines which is connected through a mobile network located in a retail outlet.
Data security is about safeguarding data both at rest and in flight. It involves several pieces from the Security Framework to achieve the desired objective.
A successful data security strategy involves deploying a three pronged approach. These are
- Access Protection (AP) – Preventing unauthorized access to user accounts.
- Data Protection (DP) – Make the data un-intelligible in case it falls into the hands of malicious parties.
- Breach Protection (BP) – Prevent external breaches into the system and if prevention fails, then quickly detect and quarantine the threat.
One of the biggest challenges, that I see even among the Security experts is a lack of big picture understanding. Security works best when the practitioners learn to view the whole system and then tune the individual pieces to provide the strongest protection.
System View of Data Security
Within this broad system is a very diverse ecosystem of thousands of companies. A new startup or security provider may decide to pick one or more places to build a product. For example, Identity and Access management (IAM) which falls in to the dimension of Access Protection (AP) can be done as an application sitting on a remote server. More sophisticated solutions will do deeper integration by embedding intelligence deep inside ASIC and Firmware (like encrypting the passwords using IP built into ASIC). Similar approach can be deployed for Data protection (encryption), it can be done using general purpose processor (Intel’s Xeon) by an application or the application can leverage a specially designed ASIC.
Security as a technology is for all times. An organization that can deliver the comfort of safety in all of their products and services will maintain an insurmountable advantage.
The key to future winners will be the ability to provide a frictionless and integrated security approach. And this requires a great deal of system understanding, vertical integration, use case driven solutions and anticipating the next threat vector. The challenge cannot be solved by ad hoc engineering or half hearted measures.
An organization must strengthen and redesigned its Security framework. The first and necessary step for a product organization is to build a team of security experts. An ideal framework is to organize the activities with a central Security Center of Excellence (SCoE). This organization must work cross-functionally with all business units. The SCoE should be led by a Chief Product Security Officer (CPSO). Under the CPSO leadership, the SCoE must carefully secure the foundations of products and services. It must be independent of product engineering and business teams to ensure utmost freedom in decision making.
Framework of Security Center of Excellence (SCoE)
SCoE charter must include;
- Vision leadership on security
- Build brick by brick uniform Security Policies for all products and business units.
- Participate and advance Security Standards.
- Companywide spokesperson to the outside world.
- Identify new use cases, solutions and threat vectors.
- Development Leadership
- Create and deliver Security IP to product teams.
- Enforce adoption of Security IP and policies across all products and BU’s.
- Prototype new security ideas and technologies (example using AI and Blockchain).
- Enforcement Leadership
- Ensure and enforce compliance with world wide regulations and certifications.
- Engage 3rd parties for security reviews and validation.
- Ensure consistency across products and services.
There is an increasing demand to secure our privacy and to safeguard our data. The industry together has accomplished tremendous feats of engineering. But we must not rest on our laurels. Today, a lot more is expected from our customers and users, and we must not let them down in this battle to be one step ahead of the threat.