It is, perhaps, a tad ironic that I found the press release from one of the big global consultancy houses, PricewaterhouseCoopers (PwC), languishing in my ISP’s spam bucket, for the subject matter it covered was security.
In fact it was about PwC’s participation in last week’s London conference on Cyberspace, which was hosted by the Foreign and Commonwealth Office.
The release makes the observation that `the cyber security industry is in freefall’, and that `operating securely in the cyber environment is among the most urgent issues facing business and Government leaders today’. It adds that `the criminals are nimble and quick on their feet, and this is a fast-paced battle’.
Well yes, one can’t argue with any of that on the face of it. But one can maybe argue with the implications of some of PwC’s suggestions for solving the problems. Which had the dual underlying themes of: a) form some committees to consider the subject urgently, and b) the vague implication that, because the company has `close to 169,000 people’ worldwide, it would be quite good if some of them found employment advising all the committees that should be set up.
The irony is, of course, that the talking shop approach to cyber security failed to appear at the conference itself as this report in the Daily Telegraph demonstrates. It appears that most of the invited journalists made their excuses and left because they weren’t allowed to talk to anyone.
This, I am the first to admit, is a purely personal view, but setting up committees tasked with reacting quickly in order to contain or deflect cyber attacks is not only a process designed to shut the stable door after the horse has bolted but also to work out the design objectives of a best practice stable door. In addition, it will obviously discuss what a horse might look like. And we all know that a horse designed by a committee is a camel.
One of PwC’s suggestions is that organisations should get on the `front-foot’ against the bad guys by `pursuing them more actively through legal means’. I doubt that catching a few people with Aspergers or Obsessive-Compulsive Disorder is going scare the real bad guys for more than a millisecond. And dragging such people through the minute and drawn-out machinations of the court system will often be an act of perverse cruelty, let alone then banging them up in jail.
I can’t help feeling that the answer is much simpler – in a word, automation. And not automation of security tools such as anti-virus and anti-spam utilities, but automation of the processes of security. For a start, the key question for any business must concern what constitutes insecurity in relation to its own operations. It will differ for every business.
This means driving security processes via the development and strict application of policies. These cover the important rules such as who has access to what and when, who is allowed to run what applications or services and when, and what is supposed to happen – and more importantly what is not supposed to happen – when an access is made or an application runs. Lastly, of course, there are the all-important policies of who is allowed to access the system at all, and how they establish that they are who they say they are.
Security then largely becomes a matter of exception management. Any action or process that steps out of line and exceeds the limits of any policy is to be trapped and stopped. Only then should humans get involved to help identify it and, knowing humans, form committees to argue over it. That is the only role humans should have with cloud security systems – defining the policies to be applied in the first place, and modifying them in the light of experience.
But does that mean the security systems might sometimes still fail? Well the short answer is probably yes – but probably that will happen a lot less than it does now using traditional security tools – or limitless committees. In addition, with the growth in autonomic security systems it is likely that a growing area of policy making will itself become automated as the systems learn what constitutes appropriate behaviour for any particular environment.
The complement to policy-based security is the use of a wide – and growing - range of tools to monitor, trap and/or shut down processes in as near as possible real time, so that any attempt at causing damage or loss, be it intentional or the common consequence of user error, is contained and curtailed.
There will, however, be a need for lots of committees to be formed to discuss such ideas before businesses latch on to it.
