Are we sacrificing security at the altar of simplicity?
Technology makes life so much easier.
It has almost a limitless upside, and it’s been simplified to the point where you don’t need a PhD to make it do what you want. It’s easy to buy (thank you, Amazon), it’s easy to deploy (hello, Apple), and, for most of us, it’s still amazing to see it do what it says it’s going to do.
As a result, we’ve taken that consumer experience and started to ask: “If I can automate all the lights, locks, thermostats, and cameras in my home with a single voice command, why can’t I automate stuff at work, too?”
This is where things get tricky.
The consumption economics effect
We have moved all-in on consumption economics. We have simplified technology consumption and application to the point that the lines between personal decisions and business decisions have completely blurred.
And that’s dangerous.
In speaking with IT pros, the conversation inevitably turns to human behavior and how consumption economics has impacted corporate security. My opinion: Our corporate behavior directly correlates to our personal behavior, making it directly responsible for the ransomware headlines we see every day.
Here’s why: There’s no difference between your business life and your personal life. Case in point: If you value showing up on time, you’ll make the same effort to be on time for your kid’s baseball game as you would for your staff meeting.
Therefore, when it comes to data security, do you care more about your personal data or your corporate data? I think they’re one in the same.
Do we actually care about personal privacy?
It certainly doesn’t seem like it.
Today, roughly one in four adults in the U.S. have at least one Amazon Echo or Google Home device (one in three if you’re under the age of 50). By 2023, we will have deployed roughly 7.5 billion of these devices worldwide. That’s one device per every person on the planet.
Obviously not everyone will have one of these devices, but that’s still a lot of people putting them in their cars, appliances, living rooms, and bedrooms. Not only will these devices listen to what we say, they can see what we do!
Awesome trade-off: I’ll have Alexa turn on my Christmas tree and, in return, Amazon will glean what I eat, read, watch, and so on. What could possibly go wrong?
Ransomware: How do they get in?
The easiest way for me to access to your private data is for you to give it to me. Phishing is the number one intrusion vector for ransomware, followed by drive-by download.
But better yet, instead of sending you a curious email, how about I come up with digital surveillance equipment, give it a euphemistic name like “voice assistant,” price it so it’s universally affordable, and wait for you to voluntarily deploy it everywhere?
Eventually, you will even demand businesses incorporate these “luxuries” into your high-end appliances, automobiles, and hotel rooms. Sure, you may pay a premium for them, but it’s worth it to turn your life into “The Truman Show,” right?
Security should be as easy to consume as the technology itself
A general rule-of-thumb: Don’t deploy technology if you don’t know how to secure it. Unfortunately, consumers and IT professionals face the same challenge. There is a lot of technology that we would love to deploy but need to secure.
As security experts often point out, you (as the user or person responsible for securing this technology) must be right all the time; the bad guys need to be right once. While we somehow haven’t managed to Alexa-enable security, somewhere out there is the point where simplicity and security meet. So, how do we get there?
Here’s a good place to start:
- Platform security. Don’t deploy multiple touch points, as these create multiple exposure points. Consolidate them to reduce the attack surface. Put your eggs in fewer baskets and then watch those baskets.
- Data security. Enforce permissions. Don’t leave everything open to everybody, even if you have strong platform security. Every device on the planet can restrict who gets to see what.
- Recovery plan. Even the best defenses in the world will get scored upon. Make sure you have a plan to recover. How you react will determine the price you pay.
Let’s look at each of these areas further.
How to create platform security
Ultimately, the goal should be securing administrative access to the platform itself. While you want to make the initial installation and ongoing administration easy, you can’t afford to sacrifice security at the altar of simplicity.
Administrators should meticulously follow the Security Hardening Guide a vendor provides and understand how to:
- Enable multi-factor authentication (MFA)
- Establish granular role-based access (RBAC)
- Set up a support user
- Turn support access on/off
- Manage firewall ports
- Implement key management
With platform security, you want to employ security industry best practices that, while easy to implement, make it extremely difficult for bad actors to gain access to the platform controls.
Remember: Don’t deploy the tech until you understand what you’re deploying and how to secure it.
How to create data security
You may not have as elaborate a security framework at home as you would at the office, but in both cases, you are able to restrict access to data.
Your trusted security advisor can make sure your device or platform slipstreams into your existing security framework (e.g., Active Directory, Kerberos, LDAP). In a corporate setting, you can harden your environment further with features like data at-rest and in-flight encryption, immutable file systems, and detailed log analytics. RBAC plays a part here as well.
How to create a recovery plan
It’s not a matter of “if,” it’s a matter of “when.” So, you must be ready to act.
Luckily, several technologies have matured and converged at the right time to help you securely store, protect, and recover. These include:
- Hyperconvergence/software-defined architectures
- Containerized services
- N+1 Google-like platforms
- Hardware commoditization
- API-first (RESTful) communications
- Orchestration/automation tools
- Machine learning/AI
Simplifying security without sacrificing integrity
Many of the technologies and data platforms available to us in a corporate setting are now as easy to deploy as an Amazon Echo. But to protect yourself, your employees, and your organization, you must make sure you understand how these technologies should be and are being secured.
We are at the point where we can simplify security without sacrificing integrity. We can walk that line, but you must remember: You are only as secure as you want to be.
About the author
Mike Riley is the Solutions Architect for National Partners at Cohesity. Mike has traveled throughout the United States and abroad listening and talking to customers on how to apply data strategies for better business outcomes.