The “Dynamic Tower”: Security as a Process
The Security for Business Innovation Council report published last week lays out a roadmap for “Getting Ahead of Advanced Threats” (as the report title puts it). One of the most important recommendations in that report is captured by Roland Cloutier, VP and CSO of ADP Inc, when he says: “you have to have the resources and a process for risk decision-making that enable rapid changes to your protection platform.” That is, the roadmap in the report doesn’t lead to a static, unchanging security monolith. It’s a model for a process that builds dynamism into security, not unlike the architectural model of the Dynamic Tower that David Fisher has designed for Dubai.
The Dynamic Tower is a skyscraper that will continually change shape. The building certainly has physical presence and a specific location. It’s built of steel and glass and concrete, not protoplasm or jello. But nonetheless, David Fisher has designed a building that instantiates a process; it’s the process that enables the continual transformation of the building.
Effective security needs to instantiate a process as well, a process that enables technology, business process and people to change and adapt as the threat landscape and the needs of the business change. Whether it’s a user deciding whether to click on an attachment in an email message, a Critical Incident Response Center team deciding what events to investigate in detail or a Chief Security Officer deciding what technology investments to make, we have to respond dynamically to the situations we face.
That’s why the welcome page for our IT Central highlights security best practices and guidelines for EMC employees, giving us the guidance to make effective security decisions in our everyday life. Security at the enterprise level has to be as dynamic as our individual responses to the security situations and decisions that each of us confronts, minute-to-minute and day-to-day.
EMC has been pursuing a transformation of IT that builds in this same dynamism, a transformation that Chuck Hollis has been exploring in his series of blogs on transforming to an ITaaS model, a great discussion of what EMC IT has done and why. For example, the capabilities in the Cloud9 Sandbox for rapid, temporary allocation of virtual resources make it easy to stand up a testbed or prototype without exposing EMC innovation to security risks.
It’s a question of mind-set, of viewing IT as a whole and security in particular as a process, of instantiating a dynamic and responsive system rather than laying out a static and unchanging architecture that’s “built in stone”.
Several years ago, not long after PCI DSS V1.1 was released, I worked with a number of colleagues at RSA and Cisco to put together a reference architecture for PCI DSS compliance. We wrote a detailed document, some 300 pages long, that provided best practices for network segmentation, data isolation, log collection, identity credentialing and other requirements of the standard — including a great discussion of key management, with gory details of what to look for in the RSA Key Manager log to confirm successful key-related operations. But did it talk about server virtualization? Nope. Tokenization? Nope. Does that mean the effort wasn’t worthwhile? Not at all. But the limitations in that static architecture point up how important it is to think about security as something inherently dynamic and responsive.
As William Boni, CISO and VP of Enterprise Security for T-Mobile, puts it in the report: “The process needs to be fast, fluid, and enable dynamic response – not be fixed, rigid, or stratified.” Envisioning security as a process can help us ensure that dynamic response, making change our ally rather than an obstacle.
