The Five I’s of Security

The Five I’s of Security

When security is considered as a “lip service” that needs to done, you are doomed or in a hell hole when dealing with data breaches and also audit failures. Do not start thinking about security after you build your application or solution. Our executives favorite topic these days are compliance certifications. I refer to people the “Kangaroo Pouch Envy Seinfeld Episode”; you cannot be envious of other people’s compliance certification and drive the team to get those certifications, rather than build a robust and secure system. People ask me what kind security team we need. Build a security team who keeps an eye on these five I’s of security:

1. Inventory and Configuration Management

Inventory management is probably the most important aspect of security. If we do not know our inventory, we do not know what we are protecting and securing. The inventory impacts not only the the security risk, but it also leaks money, for example you are paying for it without knowing what you are paying for. The latter cost problem is more pervasive in the Cloud world, increasing your opex (operational expenses). Once we know our inventory, managed centrally, we should know how to configure them correctly. This could be as simple as replacing the default passwords. We need a security expert who understands security of inventory and their configurations at all levels, including VM (virtual machine), operating system, containers, supply chain, code, CI/CD (continuous integration and continuous delivery), vulnerability management, etc. The cloud-native world makes inventory and configuration management simpler and also harder at the same time. It is simpler because many cloud providers provide tools for tracking inventory and configurations. It is harder because inventory and configuration are more dynamic in nature. Also, there are not many security experts who understands both legacy world and the cloud native world, especially if we are dealing with hybrid cloud world.

2. Identity and Access Management

Identity and access management (IAM) is another huge and broad area that requires dedicated security expert. If we fail or have week IAM solution, we are giving the “keys to the kingdom”. IAM should include secrets management, authentication, authorization, access control, etc. It is important to first of all know all of the identities that are allowed in the “kingdom”. Next we need to manage the life cycle of the identities from its creation to its deletion, including logging of identities accessing critical data and infrastructure. The hybrid cloud world makes identity management much more difficult. Identity has become the “new perimeter”, especially in the “zero-trust world”. We need dedicated security expert who looks at IAM at every levels and every point. There are many standard security controls that emphasizes the importance of IAM (e.g., NIST 800–53 AC and IA)

3. Information Security

Another area that is pretty broad but then needs a dedicated security expert is information security. This includes protecting sensitive data that are in transit and in storage. The biggest concern for any company is a front-page headline in Wall Street Journal (WSJ) on data breach. Many regulatory compliance (e.g., PCI-DSS, HIPAA, and GDPR) is dedicated to protecting sensitive data, including Personally Identifiable Information (PII) and Sensitive Personal Information (SPI). We need to hire security expert who understands information security that includes, key management, PKI (Public Key Infrastructure), TLS (Transport Layer Security), cryptography, FIPS-140 and other NIST controls, etc.

4. Interconnection and Network Security

IAM provides protection at the identity perimeter of the zero-trust model, but then we also need protection at the interconnection and network level. Zero trust is pushing the boundaries of interconnection to outside of the traditional network boundary (such as DMZ). With COVID-19 pandemic, there is very little difference between what is inside the perimeter and outside the perimeter from a networking point of view. We need a dedicated network security expert who understands security implications of interconnection and network boundary. This should include network configuration at all layers of the OSI model, IPSec, TLS, Network access control, VPN, edge computing security, etc.

5. Incident Response and Auditing

Incident response is extremely critical to ensure we identify security incidence and respond in a timely fashion. We need a security expert who understands PSIRT, CSIRT, auditing, logging and monitoring. This is a 24x7x365 job role. Incident response is not just a role at the security operations level. We need to think of incident response right from design stage. This includes how we create automation at every stage, providing deep insights into all aspects incident response. In the hybrid-cloud world, we need someone with deep understanding of AI (artificial intelligence) and automation who understands correlated events and logs at every level. Of the five I’s of security, incidence response and auditing is probably the most stressful job. We need to build security automation with Serviceability (customer-centric security), Observability (measuring and predicting latent states using only observable outputs) and Controllability (measuring and observing outputs that can be controlled using inputs) in mind.

We should not stop at these five I’s of security; there are many other security controls that requirement broad understanding of security (see NIST 800–53 controls). Every security expert must understand threat modeling, vulnerabilities, security controls, and other basics of security. It is extremely important to ensure that security is left-shift and low-lift (see https://vc-sree.medium.com/compliance-is-not-the-end-but-just-the-beginning-of-security-e639c157d2b8)

I should thank Rocco C., Ajay Apte, and others who motivated me to write this blog

--

--

VC Sreedhar is a Distinguished Engineer and CTO focusing on FSS and FIntech at Kyndryl. He is ACM Distinguished Scientist and has Ph.D. from McGill University.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
VC Sreedhar

VC Sreedhar is a Distinguished Engineer and CTO focusing on FSS and FIntech at Kyndryl. He is ACM Distinguished Scientist and has Ph.D. from McGill University.