Simplifying cyber: is reducing complexity the key to better security?
17th October 2024 • Park Plaza Victoria, London
Kubernetes, Containers, Cloud, OT/IT, BYOD, Defence-in-Depth, point solutions – how can CISOs make security manageable again?
If complexity is vulnerability, then how can CISOs simplify? What’s the new paradigm?
We often ask why it is that so many of today’s security problems were yesterday’s and the day before’s. One answer is that while security technology and processes have greatly improved, the problem has become vastly more difficult.
This is not simply because attackers have multiplied and become more sophisticated; it’s not just because of AI or geopolitics or the expansion of the IoT and OT – although all of these have hugely increased attack surfaces and the scale of threats to them.
No, the underlying problem is more simply described as complexity. As one researcher says, “The simple combinatorial mathematics of the sheer increase in endpoints not only means a greater number of systems to manage but also much more complex network architectures and webs of connections underlying IT and technology infrastructure and systems.”
For example, the rise of cloud computing, microservices, containers, IPv6, has created a vastly more complex endpoint infrastructure than existed before, even though that was comprised of billions of connected, physical devices. The default premise of cloud is to make services, APIs, storage, computing, and networking accessible – the default for a service is exposed to the world. Cloud storage is no longer segregated and sitting behind a server.
And at the same time as this increase in complexity and vulnerability, Cloud services (e.g. the IP blocks used by Amazon’s S3 storage service) are increasingly easy to identify and attack.
The response of security teams to these paradigm shifts in technology, scale and complexity has often been to meet each challenge piecemeal as it occurs. So global firewalls have been supplemented with various technologies to cater for the fact that these firewalls must be porous due to the growing number of APIs and services that must connect to the outside world.
Critical processes, services, and instances have been placed inside security groups, with access controls applied on a per-group basis, associated with identity providers and authentication systems.
At the same time, security teams put in place more defence technologies, often layering them to address specific threats or assets: data is protected one way, applications another, APIs are guarded by API gateways, Kubernetes clusters are guarded by specialized Web Application Firewalls and Ingress Controllers, SecDevOps teams mandate smaller, more lightweight firewalls in front of every public service or API and application security teams require that SAST and SCA scans be run on any code.
But what we end up with are security stacks too complex to fully understand or fully utilise. We create governance and assurance nightmares. We introduce insecurity because of the complexity and because of the additional third-party issues we create.
We need a new way to think about all this. But that would that look like?
