Security Will Not End Up In the Network…
It’s not the destination, it’s the journey, stupid.
You can’t go a day without reading from the peanut gallery that it is
"…inevitable that network security will eventually be subsumed into
the network fabric." I’m not picking on Rothman specifically, but he’s been banging this drum loudly of late.
For such a far-reaching, profound and prophetic statement, claims like these are strangely myopic and inaccurate..and then they’re exactly right.
Confused?
Firstly, it’s sort of silly and obvious to trumpet that "network security" will end up in the "network." Duh. What’s really meant is that "information security" will end up in the network, but that’s sort of goofy, too. You’ll even hear that "host-based security" will end up in the network…so let’s just say that what’s being angled at here is that security will end up in the network.
These statements are often framed within a temporal bracket
that simply ignores the bigger picture and reads like a eulogy. The reality is that historically
we have come to accept that security and technology are
cyclic and yet we continue to witness these terminal predictions defining an end state for security that has never arrived and never will.
Let me make plain my point: there is no final resting place for where and how security will "end up."
I’m visual, so let’s reference a very basic representation of my point. This graph represents the cyclic transition over time of where and how
we invest in security.
We ultimately transition between host-based security,
information-centric security and network security over time.
We do this little
shuffle based upon the effectiveness and maturity of technology,
economics, cultural, societal and regulatory issues and the effects of disruptive innovation. In reality, this
isn’t a smooth sine wave at all, it’s actually more a classic dampened
oscillation ala the punctuated equilibrium theory I’ve spoken about
before, but it’s easier to visualize this way.
Our investment strategy and where security is seen as being "positioned" reverses direction over time and continues ad infinitum. This has proven itself time and time again yet we continue to be wowed by the prophetic utterances of people who on the one hand talk about these never-ending cycles and yet on the other pretend they don’t exist by claiming the "death" of one approach over another.
Why?
To answer that let’s take a look at how the cyclic pendulum effect of our focus on
security trends from the host to the information to the network and
back again by analyzing the graph above.
- If we take a look at the arbitrary "starting" point indicated by the "You Are Here" dot on the sine wave above, I suggest that over the last 2-3 years or so we’ve actually headed away from the network as the source of all things security.
There are lots of reasons for this; economic, ideological, technological, regulatory and cultural. If you want to learn more about this, check out my posts on how disruptive Innovation fuels strategic transience.
In short, the network has not been able to (and never will) deliver the efficacy, capabilities or
cost-effectiveness desired to secure us from evil, so instead we look at
actually securing the information itself. The security industry messaging of late is certainly bearing testimony to that fact. Check out this year’s RSA conference…
- As we focus then on information centricity, we see the resurgence of ERM, governance and compliance come into focus. As policies proliferate, we realize that this is really hard and we don’t have effective and ubiquitous data
classification, policy affinity and heterogeneous enforcement capabilities. We shake our heads at the ineffectiveness of the technology we have and hear the cries of pundits everywhere that we need to focus on the things that really matter…In order to ensure that we effectively classify data at the point of creation, we recognize that we can’t do this automagically and we don’t have standardized schemas or metadata across structured and unstructured data, so we’ll look at each other, scratch our heads and conclude that the applications and operating systems need modification to force fit policy, classification and enforcement.
Rot roh.
- Now that we have the concept of policies and classification, we need the teeth to ensure it, so we start to overlay emerging technology solutions on the host in applications and via the OS’s that are unfortunately non-transparent and affect the users and their ability to get their work done. This becomes labeled as a speed bump and we grapple with how to make this less impacting on the business since security has now slowed things down and we still have breaches because users have found creative ways of bypassing technology constraints in the name of agility and efficiency…
- At this point, the network catches up in its ability to process closer to "line
speed," and some of the data classification functionality from the host commoditizes into the "network" — which by then is as much in the form of appliances as it is routers and switches — and always
will be. So as we round this upturn focusing again on being "information centric," with the help of technology, we seek to use our network investment to offset impact on our users.
- Ultimately, we get the latest round of "next generation" network solutions which promise to deliver us from our woes, but as we "pass go and collect $200" we realize we’re really at the same point we were at point #1.
‘Round and ’round we go.
So, there’s no end state. It’s a continuum. The budget and operational elements of who "owns" security and where it’s implemented simply follow the same curve. Throw in disruptive innovation such as virtualization, and the entire concept of the "host" and the "network" morphs and we simply realize that it’s a shift in period on the same graph.
So all this pontification that it is "…inevitable that network security will eventually be subsumed into
the network fabric" is only as accurate as what phase of the graph you reckon you’re on. Depending upon how many periods you’ve experienced, it’s easy to see how some who have not seen these changes come and go could be fooled into not being able to see the forest for the trees.
Here’s the reality we actually already know and should not come to you as a surprise if you’ve been reading my blog: we will always need a blended investment in technology, people and process in order to manage our risk effectively. From a technology perspective, some of this will take the form of controls embedded in the information itself, some will come from the OS and applications and some will come from the network.
Anyone who tells you differently has something to sell you or simply needs a towel for the back of his or her ears…
/Hoff
Critically Under-damped Oscillations
Critically Under-damped Oscillations
Chris Hoff has a great, common-sense post on security and where in the data center it will eventually end up residing. (If you don't want me to give away the plot, go directly to the post. Don't read the snippet
This is one of the best posts I have read in a while. Why can't people see this? Is it vendor pressure, in combination with the requirements for compliance to one or more regulatory pressures?
-colin.
You're absolutely right. Bruce Schneier has been parotting this a lot lately. Paint me skeptical, but his company was purchased by a large Telco.
Well said… although I'm not sure how even those waves should be in reality. It may look a little crazier, but still with the idea of cycling points of concern driven by innovation inside and outside the network.
This reminds me of the Kondratieff Wave notion of the impacts of terms of trades between raw material and finished goods suppliers and their impact on economic growth, etc. Raw materials and finished goods rose and shrank relative to raw materials due to supply/demand imbalances. Maybe Disney had it all figured out: we're all moving on rails beneath our lines of sight!
G
@Greg…
I have a picture in my head. Everytime I try to draw it (many of them, actually) it looks like a meth-head having a grand-mal seizure with a sharpie in his hand. 🙁
Rich Miller articulated what I draw in air in my security/disruptive innovation talk; the numerous overlapping waves…the closest I come is multiple converging damped oscillations…but it's messy…it needs to be done in an animation which is what I've been working on.
Did you just compare me to the Mr. Lincoln show? 😉
Chris – I had a uh huh moment reading this why you and I disagree on this. I really do mean network security will wind up in the network, but certainly not all information security. I think security does break down into network, host and data. Maybe that is where our disconnect is? Not sure I will get to writing a full response on my blog, but wanted you to know
Chris,
You are absolutely correct on this post. That is why I slammed TippingPoint on my post and said that "there is a need for embedded security AND security on the edge." You obviously took it further and explained it in a lot more detail, but essentially that is what bugs me about these types of propaganda campaigns by some vendors out there. They are employed to convince a few people so they can make some money in the short-run (relatively), and they slow down the natural progression / evolution of security. TippingPoint said it could not be done because of an agenda, not because it can't be done. And it pains me when a smart guy like Brian Smith gets drawn into this.
Michael
Super cool post. Nice read. Keep posting. Thanks for sharing.
Regards,
SBL Software http://www.sblsoftware.com/embedded-household.asp…