I was recently trading thoughts with Anton Chuvakin, a respected security metrics professional, in a philosophical discussion of perfection and quality of security. Admittedly, I was on auto-pilot (operating without the benefit of coffee) rattling away with my ‘Optimal Security’ rhetoric, when Anton posed two thought provoking questions: CAN one "mandate optimal security"? How do you "mandate flexible"?
I was stopped in my tracks. This got me thinking. After fetching a tall cup of coffee to start my brain juices flowing in earnest, I reached back into the pages of history to come up with the following perspective and examples:
I believe, to a certain extent, we can mandate flexibility and optimization. Surely we can act in ways which deny both. So why can’t we act in a manner which intrinsically promotes them?
I think back to lessons of WWII and the Maginot line. The French chose to create a fortification which was static by design and lacked mobility or a capability to adapt to changing enemy tactics. They invested heavily into this control, which became the backbone of their country's eastern defense. It was an appalling failure. Alternatively, the German blitzkrieg, and the stratagems of both Rommel and Patton prevailed. Flexibility through mobility was far more effective than an elaborate static defense.
I would argue that flexibility can be mandated through proper planning and design. We have examples in the history of information security. In the early years of Anti-Virus (AV) products, they were non-memory resident applications which were prescribed to be run once a week. Updates were a rarity if at all. That rigid design quickly lost effectiveness, with the rise in velocity of new malware. AV vendors were forced to adapt. The overall design has changed to one which is flexible, can be updated to meet emerging malware, and continuously runs in the background to provide persistent security.
Rigid security postures lack the ability to remain effective over time and are likely derived by an equally rigid infrastructure which will struggle to adapt to new threats and changes within the organization. Create security to be flexible and you enable the service to keep up with the continual changes.
In general, design a system to be flexible and its longevity for effectiveness is extended. Plan how systems can continuously adjust itself to align to what is 'optimal' and you increase the sustaining efficiency.
We must be strategic in our planning and design of security, lest we suffer the fate of France's Maginot line.
Check out Anton’s Blog for other thought provoking viewpoints; just be sure to have your coffee at the ready.
More on “Optimal security”:
What are your thoughts? Rigid or Fluid? Have you implemented optimal and flexible?