The Immune System Analogous to Security?…SUCKS.
I find it oddly ironic that vendors such as Cisco maintain that the human immune system is a good model for how "network" security ought to function. Now, I know that John Chambers’ parents are doctors, so perhaps he can’t help it…
In a recent blog entry, Richard Stiennon reviews John Chambers’ recent keynote at the Security Standards show, wherein he summarizes:
The human body is a good metaphor for the way security should be. You
hardly ever notice when your body is attacked because the majority of
attacks are warded off. It is the exception when you catch a cold or
have to go to the doctor.
It’s an unfortunate analog because PEOPLE DIE.
In my Unified Risk Management Part I whitepaper, I specifically suggested that this idea sucks:
Networks of the future are being described as being able to self-diagnose and self-prescribe antigens to cure their ills, all the while delivering applications and data transparently and securely to those who desire it.
It is clear, however, that unfortunately there are infections that humans do not recover from. The immune system is sometimes overwhelmed by attack from invaders that adapt faster than it can. Pathogens spread before detection and activate in an overwhelming fashion before anything can be done to turn the tide of infection.
Mutations occur that were unexpected, unforeseen and previously unknown. The body is used against itself as the defense systems attack both attacker and healthy tissue and the patient is ultimately overcome. These illnesses are terminal with no cure.
Potent drugs, experimental treatments and radical medical intervention may certainly extend or prolong life for a short time, but the victims still die. Their immune systems fail.
If this analogy is to be realistically adopted as the basis for information survivability and risk management best practices, then anything worse than a bad case of the sniffles could potentially cause networks – and businesses — to wither and die if a more reasonable and measured approach is not taken regarding what is expendable should the worst occur. Lose a limb or lose a life? What is more important? The autonomic system can’t make that decision.
I’m sick of these industry generalizations and fluffy conference sound bites because they’re always painted with a rosy end, downplaying the realities of the "cons" (pun intended) at the expense of the what everyone knows as the truth.
…and the truth be told, this analog is actually the PERFECT model for the Information Security paradigm because of just how spectacularly the immune systems fails.