I was reading a blog from Dark Reading this morning where the Author was describing the output of a CISO panel that he hosted. One of the points that the panel brought up was that the old description of the perimeter had changed. I agree, though that thought process had changed a number of years ago. So my question now is, “Where, exactly, is the Edge now?”.
Now, let me be clear when I say the entire concept of edge protection changed years ago and that this is not a new concept. It used to be that you had an external firewall and that firewall defined where the outside edge of your network was. But along came mobile devices. All of a sudden, you had cell phones and laptops that were connecting into your environment from the other side of the world. Where was the edge then?
More recently (and by recently, I mean in the last 5 years), we have seen the growth of Cloud services. So, now, you have your data residing in other people’s environments. So, while we may have been able to define a clear line using “physical” devices such as tablets, how do you define a clear line with a “nebulous” concept as data? You end up having a clear connection between physical infrastructures of companies but lack a demarcation of where data resides.
This ends up blurring the lines of cybersecurity. For a Security Architect, that means you have to “follow the money”, so to speak. You have to follow the data and ensure the DATA is secured, regardless of where that data is located. Data is king because that is what is important, not the actual devices themselves. Configuration and hardening is all fine and good, but that is done for the simple reason of securing data.
Look, a decade ago, security was protecting websites from defacement, not because of being embarrassed by being hacked but because you wanted to control the message or “information” was being communicated by your company. If someone changed the website for their own purposes, then you lost control of the message and it changed from “this is our business model” to “we can’t guarantee we can serve you”. It was about communication.
Now? Well, now we have to still be able to do that but in a much more subtle way. We may have data in a Cloud Service Provider but if that Cloud Service Provider can’t protect your data, your ability to “guarantee we can serve you” is communicated by your actions or lack thereof, rather than some direct messaging. The edge? Well, the edge now becomes your Partner.
So now we have a bigger issue. You have discrete organizations but indiscrete data. Where does one Security Architect’s job end and another’s start? Remember, when you are responsible for securing data, you have to have a seemless solution. At what point do you have a Security Architect responsible for both situations, not just for one organization?
I would suspect that we are going to start seeing a different type of security organization, one that is responsible for an entire ecosphere of data. You could almost think like some sort of International organization like NATO or InterPol where there is a “Circle of Trust” (term borrowed from Federation) and that a security organization is responsible for the security of that Circle of Trust. It requires an agreed consistent application of security guidelines that each organization is aligned with but the security is handled by that one Circle of Trust security group. It’s the only method that I can think of that makes sense with regards to following data from one organization to another.
Data will probably become a form of monetary currency and the information is passed from one organization to another, manipulated and acted on. There will probably be one bigger player in the Circle and they will drive the actions of the smaller players.
But what happens when the smaller players are parts of a divergent Circle of Trust? My head is starting to hurt!
The edge of the organization is no longer in the same form as it once was. We now have to look ahead and figure out how to deal with the flow of company data and how that protection flows from one organization to another. And THAT is what will define the edge.
Hope that helps …