Security Tenets
Keep these DON’Ts at the top of your list.
Fourk 7: Security DON'T dos
- DON’T leak data.
- DON’T corrupt data.
- DON’T keep users from their data.
DO keep your customers data secure.
Kevin Eberman's take on the triad, the three legged stool of Information Security:
confidentiality, integrity and availability
The tenets of Information Security deserve regular consideration. They form the basis of many laws, regulations and industry standards. When I was first introduced to this formal definition of security tenets, I learned Information Security is about more than keeping secrets. I was expecting confidentiality to be a concern, but I did not expect integrity and availability to be equal concerns. Integrity made sense, but it took me a moment to get behind the idea that availability was a security concern. I was not and am not alone in this reaction. A lot of people have this reaction. Even people that should know better, like some developers I've worked with, have had this reaction. But, not having access to your data can have serious consequences. Imagine not being able to access your bank account! You have to be able to get to your data.
Confidentiality: When users think about Information Security, this is generally what they think about. It is typically the type of breach that makes for headlines. The disclosure of private information.
Integrity: The data you are minding has to be accurate. Making decisions with incorrect data leads to all kinds of problems, just ask someone who is trying to scrub their credit card rating of a false report or identity theft.
Availability: Finally there’s availability. There is no data security if users cannot access their data.
The Wild West of Old
In the Wild West of old settlers faced many risks. The environment was hostile. The weather, wild beasts, bandits, and of course, a native population made it very risky to be a settler. Yet people were driven by the opportunity of a new life and a place to claim as their own.
Business has always operated with risk. Indeed, risk is required in business. Business is competitive. There are winners and losers. In order to get the spoils, in order to get an advantage over their competitors, the greatest business people, the greatest leaders need to take risks to get ahead.
After more than twenty years of the commercialization, the Internet remains a vast frontier with weak security--a lot like the Wild West of old. It provides ample opportunities for modern day bandits to wreak havoc on today’s Internet settlers. Like the frontier of bygone days, the Internet provides a new way to for people to live and make money. Despite the risks we continue to use the Internet at an ever expanding rate!
The Internet: A Modern Wild West
The Internet was conceived and built as an open system. Government, universities and large businesses at the root of the foundation of the Internet shared a common purpose and interest in having and maintaining an open Internet. For decades these open standards fostered a high-level of engagement and usage by participants.
As the Web commercialized the Internet, those groovy open standards emerged as an on-going vector for attacks. In the 90s, attackers were often individuals writing prank viruses that were mostly intended to cause a bit of disruption and draw attention to the prankster and his l33t h4xs0r sk1lz. Nowadays there are serious and coordinated threats by organized criminals and governments to scan, monitor and infiltrate systems for all types of misuses. Information Security continues to grow in importance for governments, businesses and individuals. Vast data disclosures by retailers and governments have become a feature of our news. Spying, theft and sabotage have made way for even more insidious attacks like misinformation. And then there's GenAI, poised to generate all types of automated mischief spiked with intelligence.
Security exploits continue to emerge at all levels of the stack. As one part of the infrastructure is tightened up, millions of new code is distributed to millions of systems. The attack surface grows faster than our defenses.
And yet, even as the threats mount, old problems persist! E-mail has suffered mighty abuse. The true source of the e-mail is easily forged. Phishers pretend to be from a known service or source. They masquerade as trusted interlocutor and get marks to disclose information they meant to keep secret. Users are bombarded by these types social engineering attacks that are made more effective when forging email through an open-relay mail server. Improvements have been made to the e-mail infrastructure; both servers and clients have gotten better. Nowadays, it has become common for email operators to utilize new mechanisms to insure mail has proof of authenticity.
DevOps to the Rescue
Security threats emerge very quickly. They often put Ops and Dev on high alert reacting to new threats. Quick action is necessary to implement security patches and maintain operations. Even a flawless security operation will be faced with unexpected challenges on today’s Internet. Zero day security threats, serious threats that emerge without any prior notice, require the type of rapid response, central control, communication and automation that a fully functioning DevOps environment provides.
No comments:
Post a Comment