It’s not hard to see the importance of security in this new, interconnected, digital world. There is no hiding from the myriad of threats that seek to misuse the explosive growth of retained data and computation that defines the mortal plane. From governments to industry to private citizens, we are all acutely aware of how helpless and vulnerable we the all of us are from the predations of digital thieves, technology anarchists, and political institutions that seek to protect us by exploiting us.
Security has manifested itself in many forms over the last few years. Secure architectures. Digital signatures. Cryptography. The infamous CIA triad, for all of you CISSPs out there. Smart devices and even smarter code, designed by everyone from Apple to Zynga. From the application layer through each layer of the OSI model and down to the physical network, security is not just the first thing an architect has to think of; many times, it is the only thing he is allowed to think of when designing the infrastructure. This is because the consequences of failure – whether technological or from social engineering – can be catastrophic to the bottom line of an organization, from both public perception and from the legal recourse those affected will pursue.
I’m not going to bore you with the frightening statistics that deal with security breaches from hackers like Anonymous to the dollar-and-cents games played by digital pickpockets; suffice it to say that the costs are horrendous. The consequences can be ruinous for individuals that have had their bank accounts or their identities compromised. The potential to reveal state secrets to enemy entities are just as dangerous; whether it is a virus constructed by a state actor or a squad of insurgents hacking the video feed to a Predator drone, the consequences can be measured in both dollars and lives lost. There are no chances that can be taken with security.
So why is it that we never can seem to get it right? Why is it never enough?
Part of it is evolution. Technology has evolved in a way that has been independent of the sum of its parts, and each component of the infrastructure has looked at security as a mechanism specific to its own operations rather than to the entirety of the enterprise itself. You have security mechanisms embedded in almost every piece of hardware and code that data travels to and from, and few of these pieces interact with each other.
Another problem is framework. Given the evolutionary biology of the security apparatus, most organizations have sought to leverage existing technologies by shoving them into a one-size-fits-all framework like CIA or defense-in-depth or something more prosaic like data security classification. Modularity is protected by things like threat assessments, risk management, and governance. But let’s be clear; what we have today is a confused mélange of opinions, protocols, and technology solutions that create jobs and solve problems that are opined rather than predicted. We have a robust technology security business on this planet, but most of it is built upon a deck of cards that no one has been able to dismantle for decades. Ultimately, what we have to fear is not the spectacled super-nerd team of techno-geeks armed with source code cracks and sophisticated sniffers; it is social engineering, stupid configuration errors, and automated tools that look for vulnerabilities over an attack plane that keeps getting bigger and bigger.
Finally, there is this insane obsession with audit logging that we can’t seem to escape. Auditing is not threat prevention; it is part of the autopsy conducted upon a dead or dying body. It’s important, but without intelligent, big-data tools that can make sense of what is going on, it is useless as a “security” tool.
I know most of you are sick of me repeating this, but cloud will change all of this.
As technology becomes more complex and interrelated with other components, cloud providers (who will make up the bulk of hardware purchasing in the future) will be able to exercise greater clout when it comes to component integration. This has been the industry trend for the last decade; organizations have come to realize that joint ventures that engineer deeper and more coherent integration are the only way to create a viable cloud offering. From this trend we have seen the rise of entities like Canopy, VCE, and a re-orientation of Avanade as well. A second-order consequence of this integration will be tighter, more fluid security integration. This trend will only accelerate as more hardware providers and software companies realize that going it alone will only leave them out in the cold, and that deep, coherent integration is the only route to success in a world that is dominated by major players that do the bulk of the purchasing of their products.
Another primary driver will be the risk profile of cloud providers and the threat of litigation when breaches do occur. The acceleration vector and the attack plane increase as the size of the infrastructure escalates; the threat to a large cloud provider is exponentially greater than a typical organization. If a breach occurs, it could affect thousands of tenants in the cloud and expose millions of data points to a hacker. Consequently, cloud providers will have to take a more cogent and proactive approach to the technology they use and integrate into their cloud infrastructures. Their approach to security will be much more coherent than the millions of SMBs out there that rely upon Symantec and out-of-the-box Oracle configurations for security.
The third major player in cloud security will be government regulations. As more and more government entities push their operations and data into the cloud, a tighter and clearer organizational design will emerge with respect to cloud security. Although governments may not mandate an over-arching security apparatus that all components must subscribe to, they will ensure that the data is secure beyond promises to do no evil; federal dollars and federal remedies for non-compliance will be a primary incentive for cloud providers to push changes to these loosely crafted security architectures. If the government is smart and hires people like me to help manage the security transition, we will see a slow but inexorable trek towards a security model that ties these disparate pieces of hardware and code together into a security model that actually reflects defensive perimeters and internal logical controls that track anomalies and bad behavior.
Finally, the one thing that will be a game changer for the security world beyond any of these other possibilities will be the advent of big data and the data-intensive software processing capabilities of applications like Hadoop. Today, audit logs sit quietly in the nether chambers of your data stores, spinning quietly on SATA disk, accessed only when a bored administrator has time to kill. In the future, Hadoop-like applications will constantly be monitoring these data logs and looking for anomalies and indicators of inappropriate usage or access of information. As the infrastructure grows and the size of the data increases, the logic engine behind these big data machines will only get smarter, faster, and more efficient. As cloud computing will change the face of the compute landscape, so too will Big Data change the way that decisions are made and executed. It is only a matter of time that audit logs are subsumed to a real-time monitoring of everything that is going on in the infrastructure, and a Tron-like MCP seeks out and destroys viruses, Trojan horses, sniffers, and other mechanisms of data exploitation.
Ok, so maybe the Tron thing is a couple of years out, but it’s coming.
It’s a new world order, people. Security is not so good today; things fall apart, and the center cannot hold. But the dreams that tomorrow bring are of integration, automation, and smart computing. Decision making is no longer a product of qualitative analysis, but is made after the instantaneous evaluation of a billion data points. Security will not be a discipline anymore, but rather will have a framework that any software developer or hardware engineer will be able to design against, and all of that data will be used intelligently to protect the assets of the organization. Of course, Anonymous will come up with new tools that will try to exploit whatever holes the can find, but the days of social engineering and script kiddies are slowly coming to an end. So if your data is stolen, you can at least take some consolation in that the person that took it knew what the hell he was doing.
Jamal is a regular commentator on the Big Data industry. He is an executive and entrepreneur with over 15 years of experience driving strategy for Fortune 500 companies. In addition to technology strategy, his concentrations include digital oil fields, the geo-mechanics of multilateral drilling, well-site operations and completions, integrated workflows, reservoir stimulation, and extraction techniques. He has held leadership positions in Technology, Sales and Marketing, R&D, and M&A in some of the largest corporations in the world. He is currently a senior manager at Wipro where he focuses on emerging technologies.
(Image credit: Brian Klug, via Flickr)