Tidal Forces: The Trends Tearing Apart Security As We Know It

Imagine a black hole suddenly appearing in the solar system; it’s gravity instantly warping the space and time in our celestial neighborhood, inexorably drawing all mass into itself. Closer objects are affected more strongly, with the closest whipping past the event horizon and disappearing from the observable universe. Further object are pulled on more slowly, but inescapably. As they come closer to the disturbance, the gravitation field warping space along an exponential curve, the closest points are pulled apart from the trailing edge, potentially ripping entire planets apart.

These are tidal forces. The same force that creates the tides and waves of our ocean as the moon pulls the seas closest to it more strongly than those protected on the far side of the planet.

Black holes are a useful metaphor for disruptive innovations. Once one appears, it affects everything around it, and nothing looks the same at the end. And like the gravity of a black hole, tidal forces are a useful metaphor to understand how these disruptions rip apart our conceptions, markets, and practices; slowly at first, then far faster once as we approach the event horizon beyond which the future is always unclear.

I’ve talked a lot about disruptive innovation over the past nine years since starting Securosis. In blog posts, on stage at RSA (with Chris Hoff), and in countless other venues. All that research convinces me we are deep into a series of shifts that are shredding apart existing security practices and markets on a far more fundamental level than anything we’ve seen before. In large part because this is the first time we’ve had a profession and markets large enough for the forces to act upon in any meaningful way. If a market falls down in the woods and there aren’t any billion dollar companies to smash on the head no one really pays much attention. Today we have an inertia that magnifies the impact of these disruptions.

To stick with my metaphor, I like to think of these disruptive forces as three black holes exerting their gravity over all of information technology. Security is only one of the many areas impacted, but it is also the only one I’m really qualified to discuss. There are also a series of emergent waves and interactions that complicate the model and could fill a book, but I’ll do my best to try and keep my focus on the most impactful trends. As I lay these out keep in mind I’m not necessarily saying they eliminate security issues, but that they transform them.

• Endpoints are different, often more secure, and frequently less open: The definition of an “endpoint” isn’t nearly the same today as it was ten years ago. Laptop and desktop sales are stagnant as phones bring more power to your pocket than you had in your desktop when this shift started. Mobile devices are incredibly secure compared to previous computing platforms (in large part due to their closed system nature) while modern general purpose computer operating systems are also far more hardened (and compromised less) than in the past. I’m not saying perfect, I’m saying much better, with a higher exploitation cost, and continuously improving. Ask any enterprise security manager how their Windows 7-10 infection rates look compared to XP, never mind the effective complete lack of any widespread malware on Apple’s iOS. However, these devices are not only nearly completely inaccessible to large swaths of security vendors (monitoring and anti-malware), but those tools don’t really offer any value in preventing device exploitation. Combine these trends across both consumer and enterprise markets and we have a major consumer shift to phones and tablets that reduce the cash cow of consumer (and perhaps enterprise) antivirus with clear indications even the mandatory security footprint on traditional computers will be reduced over time, with ancillary effects on network security we will get into in a moment. Even the biggest fly in the ointment, the massive security issues of IoT, don’t play to “traditional” tools and practices.
• Software as a Service is the new back office: Email, file servers, CRM, ERP, and many other back office applications are rapidly migrating from traditional, on-premise infrastructure into cloud services. Entire fleets of servers we’ve dedicate massive amounts of budget to secure are being shut down and repurposed or decommissioned. When these migrate to a major, mature cloud service it often reduces security risk and costs. When they move to less-secure SaaS providers (most of the market) it requires a shift in security operations, skills, and spending. This transition also supports the rise of zero trust networks, where enterprises no longer trust any of their local networks and require all connections to all services to be encrypted with TLS (which is increasingly immune to exiting monitoring techniques) or VPNs. This transition to the cloud and increase in encrypted connections dramatically impacts perimeter security, monitoring, patching, incident response, and probably a dozen other security practices. When migrating to highly secure cloud services (still the minority in SaaS), it wipes out the need for large portions of existing security without fully requiring equal spend or effort on the new service. And worst case you might still deploy your own software stack, but it will be in an IaaS cloud, not the data center across the corporate campus.
• Infrastructure as a Service is the new data center: Major cloud providers (a very short list of very big companies) offer infrastructure that, thanks to economic forces, are vastly more secure than most of the enterprise data centers in existence. And since Amazon Web Services alone was about a $12B business in 2016 it is clear the migration to cloud computing is actually more of a stampede. If this shift was merely about moving from physical to virtual machines a lot would still be changing, but we are seeing a deeper architectural transformation driven by the inherent software defined networks of cloud providers combined with serverless, containers, and other emerging options. You don’t get to stick your IPS system in front of a Lambda function, nor do you patch or configure an Elastic Load Balancer. Many foundational security practices we rely on to protect our custom applications either aren’t needed, or can’t be implemented using the same tools or techniques as with traditional infrastructure.

All of this is accessible if you build a new organization from scratch today. Very secure endpoints that are much less reliant on historic security tools connecting predominantly to cloud services over encrypted links. Offices with networks that merely exist to provide Internet access, with nearly all applications, services, and servers hosted in the cloud. New applications leverage architectures and capabilities that barely resemble those of yesterday, and certainly aren’t hosted in a data center you manage.

Yet facing these dramatic changes are a security market that is heavily reliant on existing revenue models and a professional workforce that’s spent decades building a particular set of skills, practices, and operational models that don’t necessarily match emerging requirements. This isn’t theory, I’ve talked with friends and contacts in major security vendors who can’t shift existing products and operations to best support cloud even when they want to. Shareholders refuse to support the required revenue model changes while the companies face massive internal friction to altering product development, operations, and sales compensation. When your entire revenue and sales compensation models are built on pushing boxes, transitioning to elastic software and services products and pricing isn’t exactly easy.

On the security professional side I’ve trained hundreds on cloud security while working with dozens of organizations to secure their cloud deployments. It can take years to fully update skill and even longer to re-engineer enterprise operations, even when you don’t battle internal frictions from large chunks of the workforce that don’t believe these changes are happening, lack some of the required foundational skills (mostly coding), or simply lack the time to learn new things while keeping the old things running.

I don’t claim to know exactly how all this will play out. I don’t claim to have all the answers, But I do know, without a doubt, that these tidal forces are inexorably drawing us forward at wildly uneven, yet accelerating, rates that will rip apart existing security markets, practices, and operations. And the bigger you are, the further apart your leading and trailing edges, the more painful the stretching.

Over the next few weeks these posts will focus on each of the forces and discuss the transformations, and their potential impact, in more depth. I’m cheating a bit and using the blog as a way to pull my thoughts together for my upcoming RSA session on the same topic. Even if we don’t know exactly what’s on the other side of the event horizon we can still best prepare ourselves by recognizing change is happening and looking for key opportunities to prepare for multiple potential outcomes.

- Rich (0) Comments Subscribe to our daily email digest

from Tidal Forces: The Trends Tearing Apart Security As We Know It