Insecurity through maturity obscurity. That’s my quip conclusion about the history of IT security, after researching briefly into the history of security tools deployed over the years.
If diagrammed out, the history of IT security would look like an aspen forest, not a tree. Thousands of different security products, with varied maturities of each product, obscuring the picture of security. But why is an aspen forest a fitting metaphor?
First, because an aspen forest is actually a single living organism. In fact, an aspen named Pando in Utah is the largest and oldest living organism on earth. Estimated at over 80,000 years old, with over 40,000 trunks spread over 100+ acres, and weighing over 6000 tons. The second reason, I’ll get to in a minute.
The aspen forest insecurity through maturity obscurity point is this. Although all the security products in an IT ecosystem are intended to be one organism, when looked at with the untrained eye they resemble a forest of separate organisms. A confusing forest to the untrained eye. The trained eye can see the single organism; it understands the root system binding it together under the surface. But to everyone else, it’s a forest not to be wandered too deeply into.
So, as security products matured and spread the once simple anti-virus “apsen tree” became a forest of versions, signatures, updates, and other “trunks and roots.” Okay, enough about aspens.
Now onto the second part
Fueling this obscurity confusion is the nature of security itself. Security, whether in IT or the martial arts, has always been defined by the battle space upon which it is overlaid. Hence, the surface of the battle space defines the scope of what must be understood in order to understand the security required and its components.
In a world filled with segregated and isolated networks, as was common before the internet, one simply had to understand each network to understand the security requirements necessary to defend it.
Then came the internet
All those different ecosystems, interconnected. An interwoven formula for confusion. That’s where the technology world has been for just over two decades. The obscurity and confusion today is rampant – made more so by a myriad of rapid changes in the capabilities and communications taking place across all levels of the OSI stack that creates today’s cyberspace.
Enter, the cloud
The good news is the cloud, by its very nature, is a simplifying force in the security picture.
Simply put, in a cloud ecosystem the players, their locations, and their roles across the ecosystem are all determined by the structure of the ecosystem. Think of Apple’s controlled ecosystem, but on a much large and albeit for now a less controlled scale. But make no mistake, the defining and controlling of the cloud space is well underway.
Which brings me to this point – get in the cloud
Granted when the cloud was nascent, on-premises solutions were much more capable across the spectrum of business platform needs and security requirements.
However today, that is no longer the case. Virtualization has transformed the capabilities, efficiency, and elasticity of “the cloud.”
And now, Microsoft’s suite of security services to protect its Azure ecosystem has matured to the point of delivering a more robust, flexible, and effective security solution than all but the most well-funded on-premises ecosystems can create.
However, there’s one challenge to this security situation that has yet to go away
There is still a sizable collection of service options to choose from and combine to create a desired security profile. And the creation decisions are driven by looking at your data significance, your risk factors and tolerances, your business needs, and understanding each of the security-related services in Azure that are needed to secure your important business data and the privacy of your clients.
The good news is the defined ecosystem of the cloud, e.g. Azure, means the solution options become more clearly defined and more tightly integrated.
Which means the designing security solutions is no longer being constrained by the challenges of fitting various vendor technology pieces together but rather, because the ecosystem has forced the fitting together, the design of the security solution can more readily be focused on creating a holistic framework integrating and incorporating GRC policies, controls, and risk rules to meet business, regulatory, and privacy needs. It also means the ability to create a picture of the activities going on in the ecosystem is much greater and tightly integrated.
For help putting together Microsoft’s security services – like OMS, Azure AD Premium, Cloud App Security, Conditional Access, BitLocker, Advanced Threat Analytics, Advanced Threat Protection, Security & Compliance, Security + Identity, and Intune – to name just a few – call us at 630.832.0075. Our vCISOs and security engineers can take the confusing array of capabilities and options that create the FUD (Fear, Uncertainty, Doubt) of security, and hone them into a holistic security and IT solution for your business needs. Email us at firstname.lastname@example.org
So don’t go wandering alone in Pando. Not only might you get lost, but you will likely miss some of the more important spots in the forest to see.