We employ a lot of militaristic terms in the IT security sector, and the language of defense is robust in part because it draws upon a rich history of technical innovations.
When we talk about the future of IT, it’s hard not to think about cloud infrastructure, so when we’re exploring the growth of cloud resources, I’d suggest that it may also be worth having a look back to our past to see what lessons we can learn from the history of protecting our valuable technology assets.
So, can we learn anything from an early engine of change – the motor car – and the history of armored vehicles?
As far back as the Middle Ages, “war wagons” would add steel plates to vehicles to become a formidable adversary on the battlefield. At the beginning of the 20th-century, petrol engines meant more powerful designs, but many “armored cars” were largely still just armored plates added to existing cars – quite often with mixed results, as early designers experimented with getting the right balance of protection and practicality.
As engines progressed, armor could be improved further, but even the best-built vehicles still had weak points that their operators needed to be aware of to avoid unnecessary risk to their cargo.
As you move to the cloud, your own ICT armor will need to be updated to reflect cloud powered infrastructure. New operating systems, storage types, etc. are all exciting opportunities to expand your network capability, but ensuring that you identify where the chinks in your armor exist remains key – your vulnerability management tools should give you clear indicators of where those are, so you can prioritize and develop any suitable countermeasures.
This can be as simple as scoring vulnerabilities based on the amount of risk they expose you too.
The Lesson: Expanding your capability requires additional maintenance and thought about how you protect your assets. Chinks in your armor are what the enemy will exploit – minimizing gaps means reducing unnecessary exposure.
Mobility and reliability
Heading further into the 20th century, improved engineering and construction meant that armored vehicles rapidly grew in popularity. Having more vehicles on the battlefield allowed for great specialization and further tactical flexibility but also meant that whole new sets of skills were required including significant investment in engineering talent and tools. The British Army created it’s Royal Armoured Corps in 1939 by merging its regiments of cavalry and tank corps to reflect the changes in specializations.
Spinning up cloud servers and resources quickly and easily presents fresh challenges to your security tools –and offers an opportunity to make sure that your team has the right skills and processes available to support a growing and ever-changing infrastructure.
DevOps-oriented security tools and flexible licensing that allow you to scan throughout the development and testing phase are useful ways to make sure that compliance and security scans can happen all the way through the lifecycle of your cloud assets to better reflect the new engines.
Lesson: Make sure you’ve got the skills to back your new cloud security deployments and that your engineers have the tools to implement the best security practices easily.
As time went on, more and more specialization came about. Smaller and more mobile armored vehicles were joined by larger, slower but more heavily armored tanks. Where regular weapons were once just strapped to vehicles, they later became tailored to reflect the specific needs of the underlying platforms/chassis.
Your cloud security toolsets need to offer similar forms of specialization – if you just keep using the same toolkit and techniques, you risk ever-widening gaps developing over time. If your security products don’t support cloud asset assessment, for example, you could be in trouble as new initiatives drive the expansion of your cloud investment.
Equally, it’s important to make sure your strategies for managing new devices include support for faster provisioning of servers and applications.
Lesson: Your existing security tools will probably work – but they should be tested and refined to reflect their new usage. Plan ahead for great specialization and make sure your security tools are offering cloud support even if you don’t intend to use it straight away.
Armored cars for the masses…
In recent history, most people might not even recognize some classes of armored cars, as bulletproof glass gets added to specialized variants of every-day-road cars – what was once restricted to the military is now within the reach of those who can afford the protection. But with this change, new sensibilities are required. The rich and famous who are often buying these vehicles aren’t willing to compromise on comfort, and the practical features are seen on normal consumer vehicles.
Making these cars comfortable enough for pop stars to use meant building in all the modern conveniences they expected. Your security tools need to offer similar levels of comfort. As we encourage more parts of the business to become more security-aware, it becomes more and more important that the tools we offer can be used and understood by a wider audience.
Where once the SOC team might have worked in isolation scanning assets, now DevOps users can take security scanning into consideration when testing their deployments, presenting a need to make tools that can present security information in a way that is actionable not just by security specialists but also by developers.
Lesson: Empowering your users with security tools allows for a whole new class of security. Making sure your tools are easy to use and integrate into new areas of the business is key.
Standing the test of time
People are still prone to quote from the Art of War and for good reason – wise words typically stand the test of time. When it comes to securing your cloud infrastructure, there are lessons that can be learned from over 100 years of armored vehicle design, and whilst I doubt today’s Server Hardening Guidelines will stand the test of time quite as well as Sun Tzu, there is still plenty of wisdom we can apply even when we’re building our security in an ever more rapidly changing and challenging environment.
To quote the man himself: “In the midst of chaos, there is also opportunity!”