What remains unsolvable in security (Part 2 of 2)
As we round up the year, I am summarizing my thoughts and observations in 2017 as a personal reflection. In the second part of the series, I will share two more observations of what I consider as unsolvable aspects in security.
Observation #3: Better communication is a starter, but does not guarantee results
In many security literature today, there is a constant call for better coordination and collaboration to improve security. There are many emergency response teams today with a variety of focus – regional, national, cities, vendors, or even religious regions. In theory, a functional ecosystem of response and coordination centers will improve communication, coordination, and ultimately transparency and information security.
Unfortunately, theory seldom works perfectly in reality.
Coordination centers and response teams often work in silo today. The challenge is usually about when and what information can be made available. Security and vulnerability information is often sensitive and protected. In most cases, such protectionism originates from the belief that transparency will cause harm and wide-spread exploitation. As a result, coordination and communication often fail and break down.
With most countries now operate at least one coordination center or response team. Better communication is a starter, but does not always guarantee results.
Many coordination centers adopts the traffic light protocol. In some aspect, this is an effective classification system of vulnerability information. Meanwhile, it is also a mechanism to exclude. Some practitioners argue TLP is effective to delay or prevent exploitation, but indeed the dark web is way more efficient to spread vulnerability information.
Security through obfuscation is just a fallacy. In many security talks, the most common recommendation is to facilitate a closer community for better security. However, I wonder how many people actually have a strategic vision to achieve such goal.
Observation #4: Cloud, IoT, and digital transformation challenge the status-quo, allow us to break the cynical cycle
Cloud, IoT, and digital transformation are hot topics in 2017. New industry talks and discussions focus on how new technologies are expanding the threat landscape beyond conventional security controls. It is no longer sufficient to secure one’s network. The interconnectivity of things is challenging the boundary and definition of perimeter in security. There are many discussions about how difficult it is to manage security for cloud, IoT, and digital transformation alike. Yet, we have not spent enough time to talk about solutions.
Perhaps, new technology is redefining many aspects of computing. The recent Apple iPad commercial illustrates how millennials and new generations perceive technology. Instead of focusing on how difficult it is to expand our current practice, we may need to take a step back to envision how next-generation security should look like through digital transformation. We may discover new ways to manage security to tackle some of the unsolvable problems we face today.
I will soon expand my responsibility to build some of the next-generation security features. I look forward to share my journey with you in the new years.