We still talk about security as though it were a separate, compartmentalized function of information technology.
There are the people who build software, the folks who monitor and manage the infrastructure, the data scientists who make all those great animated charts for the annual presentations, and the magical people who build and repair systems.
And let’s see, I left out somebody. Oh yea, security guys.
Who Are These Guys?
Even in the process of planning and producing articles about information security, there is a noticeable switch to a unique motif, and a refocusing of the lens of attention upon folks best characterized in silhouettes and cameos: “hackers,” cyber-terrorists, think tanks stuffed with anti-social geniuses, whiz kids with classified résumés.
The most used clip art or still store libraries in almost any CMS belonging to a web tech publication is the one with the guy in the fedora and sunglasses trying to guess the CompuServe password.
Immediately, we imagine a whole universe of people other than ourselves, about as realistic as Lord of the Rings but only about as exciting as reality television.
This is where things start to go wrong from the very beginning.
After having covered the RSA Security conference in 2012, I wrote an op-ed for a now-defunct publication (there are more of those now than the other kind), where I said my hopes for a refocusing on security had been renewed.
Cloud technologies — or what I call “cloud dynamics” (the science behind the tech) — were successfully reconstructing the universe in which information security takes place.
“Securing the perimeter” was beginning to sound old-hat and out of place, like a rerun of Lawrence Welk on PBS’ Saturday schedule.
I’d link to the page but it no longer exists. (One wishes the same could be said of “champagne music.”)
Here’s part of what I wrote: “Security is not (thankfully) a service of anyone’s public relations department. For once, the businesspeople who have their minds fine-tuned to this problem are asking the right questions.
“The most important of these questions, in my opinion, is this: If in every massive breach incident, the fault can be traced to design, then why can’t cloud architectures enable designs for a virtual envelope that have no practical correlation — that are physically impossible?”
In successive years, this question has been asked and answered. The “virtual envelope with no practical correlation” is a data center architecture whose virtual configuration has no one-to-one bearing or relationship with physical servers.
If you’re a CMSWire reader, you’ve already guessed what I’m talking about: containerization, championed by Docker Inc. and either willingly embraced or reluctantly adopted by the rest of the data center industry.
Completely rethinking the architecture of the data center has mandated a total overhaul of the very concept of security. Sure, we’ve had our debates about whether certain aspects of Docker are as secure as we’d like for them to be.
But by re-orchestrating workloads with tighter and more granular automation, we’ve already begun devising global, scalable systems where workloads are secure to begin with.
What do I mean by “secure?” In over three decades of work, I’ve had to ask and answer that question a thousand times over.
Here’s a definition you can take to the bank: A secure system is one whose intentional use does not cause damage or loss, and for which unintentional use would require more effort than is justified by its reward.
Containerized environments go hand-in-hand with continuous integration and continuous deployment. It’s through the constant, reiterative CI/CD process that secure processes and practices get baked into new software and services.
So we really are working towards a more secure data center and more reliable, efficient, and safe IT environment. That’s good news for the people who build software, the infrastructure admins, the data scientists, and the systems builders.
Did I leave anyone out?
King of the Mountain
In a few weeks’ time, all the various factions of the IT security industry will meet once again in San Francisco for RSA 2016.
When you work in an industry whose key value proposition is threatened by the evolution of technology, you do what you can to avoid walking gently into that good night, towards the realm of defunct IT publications and Lawrence Welk albums.
Thank heavens there are still security breaches happening everywhere, otherwise, who knows where the security industry would be today.
The “perimeters” of the modern data center don’t really exist anymore (thus, the “cloud” metaphor).
As the job of security passes from a separate department of folks in silhouettes wearing fedoras and sunglasses, to groups of otherwise better-dressed folks like developers, admins, and CIOs, it becomes much more difficult to play the old-fashioned role of Chief Information Security Officer.
On Thursday, CMSWire’s Joe Shepley advised CISOs to “Get your house in order,” “Deliver business value,” and “Gain authority.”
But authority over what? The data center is no longer a castle to be defended, a perimeter to be monitored, a territory to fight and die for.
The CISO role is in danger of obsolescence, like a civil defense officer. If all the CISO is enabled to do is act as a uniformed patrol officer, reminding DevOps and developers that “Security is A-OK!” then we actually end up deterring the adoption of best practices, and working against the real accomplishments we’ve made in the past five years.
But a person in charge of information security is extremely critical to the efficiency and resilience of an organization.
It’s just that the meaning of “organization” has changed along with the meaning of “data center.”
The IT security products industry, as we have come to know it, has been sustained by the persistent need for vigilance and best practices after software has already been deployed, and after networks have been built. But even networks are software-defined today.
RSA 2016 will tell us whether the industry we had a habit of leaving out of the IT discussion, will end up locking itself out for good.
Title image "Mr. Civil Defense Tells Us About Natural Disasters" from a digital copy of a real 1956 publication, available for download from The Digital Deli Too