Home > General Rants & Raves, Information Security, Information Survivability > Incomplete Thought: Virtual/Cloud Security and The Potemkin Village Syndrome

Incomplete Thought: Virtual/Cloud Security and The Potemkin Village Syndrome

Portrait of russian fieldmarshal Prince Potemk...A “Potemkin village” is a Russian expression derived from folklore from the 1700’s.  The story goes something like this: Grigory Potemkin, a military leader and  statesman, erected attractive but completely fake settlements constructed only of facades to impress Catherine the Great (empress of Russia) during a state visit in order to gain favor and otherwise hype the value of recently subjugated territories.

I’ll get to that (and probably irate comments from actual Russians who will chide me for my hatchet job on their culture…)

Innovation over the last decade in technology in general has brought fundamental shifts in the way in which we work, live, and play. In the last 4 years, the manner in which technology products and services that enabled by this “digital supply chain,” and the manner in which they are designed, built and brought to market have also pivoted.

Virtualization and Cloud computing — the technologies and operational models — have contributed greatly to this.

Interestingly enough, the faster technology evolves, the more lethargic, fragile and fractured security seems to be.

This can be explained in a few ways.

First, the trust models, architecture and operational models surrounding how we’ve “done” security simply are not designed to absorb this much disruption so quickly.  The fact that we’ve relied on physical segregation, static policies that combine locality and service definition, mobility and the (now) highly dynamic application deployment options means that we’re simply disconnected.

Secondly, fragmentation and specialization within security means that we have no cohesive, integrated or consistent approach in terms of how we define or instantiate “security,” and so customers are left to integrate disparate solutions at multiple layers (think physical and/or virtual firewalls, IDP, DLP, WAF, AppSec, etc.)  What services and “hooks” the operating systems, networks and provisioning/orchestration layers offers largely dictates what we can do using the skills and “best practices” we already have.

Lastly, the (un)natural market consolidation behavior wherein aspiring technology startups are acquired and absorbed into larger behemoth organizations means that innovation cycles in security quickly become victims of stunted periodicity, reduced focus on solving specific problems, cultural subduction and artificially constrained scope based on P&L models which are detached from reality, customers and out of step with trends that end up driving more disruption.

I’ve talked about this process as part of the “Security Hamster Sine Wave of Pain.”  It’s not a malicious or evil plan on behalf of vendors to conspire to not solve your problems, it’s an artifact of the way in which the market functions — and is allowed to function.

What this yields is that when new threat models, evolving vulnerabilities and advanced adversarial skill sets are paired with massively disruptive approaches and technology “conquests,” the security industry  basically erects facades of solutions, obscuring the fact that in many cases, there’s not only a lacking foundation for the house of cards we’ve built, but interestingly there’s not much more to it than that.

Again, this isn’t a plan masterminded by a consortium of industry “Dr. Evils.”  Actually, it’s quite simple: It’s inertial…if you keep buying it, they’ll keep making it.

We are suffering then from the security equivalent of the Potemkin Village syndrome; our efforts are largely built to impress people who are mesmerized by pretty facades but don’t take the time to recognize that there’s really nothing there.  Those building it, while complicit, find it quite hard to change.

Until the revolution comes.

To wit, we have hardworking members of the proletariat, toiling away behind the scenes struggling to add substance and drive change in the way in which we do what we do.

Adding to this is the good news that those two aforementioned “movements” — virtualization and cloud computing — are exposing the facades for what they are and we’re now busy shining the light on unstable foundations, knocking over walls and starting to build platforms that are fundamentally better suited to support security capabilities rather than simply “patching holes.”

Most virtualization and IaaS cloud platforms are still woefully lacking the native capabilities or interfaces to build security in, but that’s the beauty of platforms (as a service,) as you can encourage more “universally” the focus on the things that matter most: building resilient and survivable systems, deploying secure applications, and identifying and protecting information across its lifecycle.

Realistically this is a long view and it is going to take a few more cycles on the Hamster Wheel to drive true results.  It’s frankly less about technology and rather largely a generational concern with the current ruling party who governs operational security awaiting deposition, retirement or beheading.

I’m looking forward to more disruption, innovation and reconstruction.  Let’s fix the foundation and deal with hanging pictures later.  Redecorating security is for the birds…or dead Russian royalty.

/Hoff

Enhanced by Zemanta
  1. Donny Parrott
    August 17th, 2012 at 13:27 | #1

    Careful, you will make the paranoid upset.

    I believe your references above come back to risk management, not security. “What things can I put in place to look secure vs. be secure.” Remember Cisco’s old commercial where the CEO comes to inspect IT security and is presented with “the blinky thing”?

    http://www.youtube.com/watch?v=pY8VV-5OZrc

    The real issue is the ability to identify the state of any object (system, data, link, policy) and measure against a standard. As systems and data objects become less statefull, the tools and policies must adapt to measuring against this.

    For instance, what if I don’t trust the network? What if I assume that once data leaves a “server” it must be protected until it reaches the destination? This throws a hugh kink into many current security plans – If there is no “visibility” at the network layer, how can security policy be verified?

  2. August 20th, 2012 at 11:59 | #2

    Hi Christopher, I’m working with Orange France who will be hosting an event in SF (September 17) that’s fairly relevant to your blog post. The event will be covering the topic of innovation & trends in the Silicon Valley. Guest bloggers from Europe have been invited who will also share their insights with top innovators from around the valley. It’s free to attend and I think you and fellow bloggers may find it interesting. Email me if you’d like to know more! arthurh(at)ecairn.com

  3. September 25th, 2012 at 12:53 | #3

    What you said about security being very fragmented is interesting. When you bring that up, I can’t help but agree. There are so many different ways in which we feel “secure” in today’s society that I wonder what would happen if things were to fail. I am so reliant on a multitude of different ways to be secure, that I don’t think security would function if one were to fail.

  1. No trackbacks yet.