We seem to hear of new security breaches almost everyday. Even the organizations with the best and most sophisticated security controls can be vulnerable. Despite huge investments in security infrastructure,attacks are increasing in frequency and severity. These successful attacks raise an important question – is it possible to protect ourselves in today’s environment?
Perhaps taking a step back and looking at history may provide some answers. In trying to make sense of the past, we can divide the evolution of computing and the technologies used to protect it into three phases.
1. The Stand Alone Phase (1950s-1980s)
The early days of computing were dominated by mainframes which could only be used by a small number of people with specialized knowledge. These mainframes were relatively simple by today’s standards. They ran proprietary software that had limited capabilities and were isolated from other systems. The industry was vertically integrated and architectures were monolithic. Consequently, mainframes provided limited attack surfaces for malicious activity.
Simple architectures made security a simple problem. Mainframes could be accessed only from a limited number of terminals which required physical presence in closely monitored rooms. Passwords augmented physical security to satisfy the security needs of the day. The problem of delivering secure computing was looked at from a “stand alone” perspective, one in which you only had to consider the isolated system.
2. The System Phase (1980s-2010)
Over time, computing systems grew more powerful, complex and diverse. Mainframes gave way to minicomputers which later gave way to PCs and servers. Architectures grew more modular, allowing people to layer independently-developed hardware and software components on top of each other to build more complex systems. This complexity multiplied the attack surfaces and new forms of threats rose. Delivering secure computing now needed a broader system perspective, one in which you not only had to consider vulnerabilities in individual components but also the vulnerabilities caused by the integration of these components.
Computers started communicating to each other using Local Area Networks (LANs),
allowing new threats such as viruses and trojans to spread. Soon, these LANs became connected to each other to form the Internet, providing even greater distribution for threats. This further fueled the explosion of new threats and attackers.
The industry responded by developing technologies to counter these threats – Public Key Cryptography, Firewalls, Virtual Private Networks (VPNs), anti-virus software, intrusion detection systems to name a few. The system perspective to security had given way to perimeter based protection. The core concept was to build a perimeter around the assets that need to be protected and to tightly control access through this perimeter.
3. The Ecosystem Phase (2010 Onwards)
We are now entering the third phase of security – driven by mobile devices, virtualization and cloud architectures. Computing is becoming even more interconnected; with users and businesses needing access to all data at all times. Information needs to flow from one application to another to address business needs. Systems and data are no longer tied to a single location or even to a single organization. Applications are distributed between private, hybrid and public clouds. Suddenly, the perimeter has dissolved.
With no perimeter, the security technologies created in the system phase are no longer effective in protecting computing systems and the data contained within them. This point is well illustrated by the recent breach at Adobe. Apart from source code for several Adobe products, the attackers were able to steal passwords for over 150M accounts. This breach not only affected Adobe but also set off a domino effect that put other companies at risk due to rampant password reuse between online accounts. It is no surprise that the Adobe breach caused web properties such as Facebook, Evernote, Eventbrite and PR Newswire to issue warnings to users. Now, consider the cumulative effect of exposed passwords in 2013 at Cupid Media (42 Million), Yahoo! Japan (22 Million) and LivingSocial (50 Million) among others. These web properties are inadvertently linked to scores of other properties through shared passwords. It is no wonder that breaches are increasingly common.
Today’s reality is that the system perspective of security is no longer sufficient. The security architectures resulting from this perspective do not address threats enabled by the interconnections and interdependencies between systems and organizations. We need a new perspective in building security technologies – the ecosystem perspective. We need to consider the ecosystem as a whole when we design our security architectures, protocols and products. Today, we need to carefully consider the flow of information between not only applications, users and devices but also between organizations.
The ecosystem perspective requires new types of identities, permissions, flows and isolations. Identities that fit into the world of BYOD and cloud applications. Permissions that reflect the way businesses and users function today. Flows that allow applications and devices to work together while still preserving security and privacy. Isolations that address the domino effects of breaches like we see today. We need to build these based on the ecosystem perspective of security.
Girish Wadhwani | Product Marketing Manager | Nok Nok Labs
Area of Expertise:
Mobile Networks, Optical Networks, Authentication and Security.
Professional Biography:
Girish Wadhwani is Product Marketing Manager at Nok Nok Labs.Nok Nok was founded in 2012 to develop a next generation authentication platform that enables any application to use any authentication method on any device. Girish also works closely with the Fast IDentity Online (FIDO) Alliance, which is standardizing the first mile of authentication.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.