“Simplicity is the ultimate sophistication.” ~ Leonardo da Vinci
Take it from Leonardo (Not DiCaprio. The other one.) Simplicity makes a work of art that much more sophisticated and beautiful. The same is true in technology. Simplicity is elegant. Simplicity sells. Simplicity also makes for effective security. Indeed, the IT world has only grown more overwhelming since the noted security expert Bruce Schneier remarked in 2001, “Complexity is the enemy of security. As systems get more complex, they get less secure.”
Simple technology is elegant, it sells, and more importantly, it makes for effective security.
Schneier’s observation makes intuitive sense, but the connection between simplicity and security goes even further: The simplest security solutions are often the most robust. Just as complexity makes a system harder to defend, so too does complexity render a security solution ineffective. There’s too much to oversee, too many loose ends that can leave vulnerabilities exposed.
Today’s security thought leaders certainly see the issue this way. For instance, Brian McHenry, Senior Security Solutions Architect at F5 Networks, wrote recently in an Information Security Buzz article that virtualization, containerization, application-layer technology, and rapid development make architecture far more complex than they used to be. He addressed the difficulty of securing such sprawling, fast-moving environments, saying, “In attempting to combat attacks on these complexity-related vulnerabilities, the complexity problem is worsened by adding one-point security solution after another in the data path.”
What it Takes to Be Simple
“The art of being wise is the art of knowing what to overlook.” ~ William James
McHenry is right. An excessive number of one-point security solutions generate more opportunities for administrative errors, more parts to break/fix, and more dependencies that need management. The best security programs are the simple ones that use a few core tools and focus on the basic, but critical tasks of security.
Writing in CSO, the Australian security architect Nathan Wenzler explained, “Getting back to some of the very simple, basic security practices [e.g. patch management, secure development and, credential management] that have been touted for years will help reduce the overall complexity of the attack vectors in your environment.”
The best security solutions focus on a few core tools that cover the basic but most critical tasks of security.
Forrester analyst Chase Cunningham offered a complementary perspective. After conducting a white hat hack at a major corporation to reveal their vulnerabilities, he noted, “Having the ‘IT’ or ‘Network Guys’ put anti-virus on end-points and segmenting networks is a good step, but it doesn’t stop an attacker or protect the crown jewels. Simple strategic concepts were needed. Protect the data, use encryption. Define the perimeter based on data, not the network edges. Enable logging and have someone tasked with network awareness.”
“Simple can be harder than complex: You have to work hard to get your thinking clean to make it simple. But it’s worth it in the end because once you get there, you can move mountains.” ~ Steve Jobs
Steve Jobs understood the power of simplicity. In terms of security, Chase Cunningham offered a similar perspective. He said, “Embracing the fact that success or failure in this space is based on how well we all do the simple, small things is where the difference is made. Simplicity is a strategy, and it works.
Simplicity is a strategy that works.
The Jobs quote also reveals, however, that making thing simple can be harder than keeping them complicated. The success of Apple shows that indeed you can “move mountains” once you’ve done the challenging work of making things simple. For Jobs and Apple, simplifying the user experience through hardware took a great deal of human effort. In cybersecurity, tooling can do much of that work for you. The right tools simplify the process of making security simple.
The Role of Access Management in Keeping Security Simple
“Everything should be made as simple as possible, but not simpler.” ~ Albert Einstein
What’s the secret to making things as simple as possible, but not simpler, as Einstein suggested? One answer is to take care of root security tasks first. Then, dependent security controls will flow naturally and easily from there. For example, staying on top of patching, a relatively simple process, will almost automatically result in a host of anti-intrusion and anti-malware benefits.
Similarly, disciplined management of user access will pay dividends in numerous downstream security workflows. In particular, the management of privileged users, those with administrative access, serves as a root source of control over many different areas of cybersecurity. Wenzler supported this view, saying, “Credential management is one of his top suggested priorities. Is your organization restricting the use of admin credentials? If not, you should be. Administrator credentials are one of the most heavily targeted assets that hackers are looking for because these credentials are authorized to have access to most everything. Steal one of these credentials, and an attacker doesn’t have to break into anything else, they can just walk through the front door. Properly managing credentials like this is a relatively simple step with today’s tools, and can have huge security benefits throughout the organization.”
Administrator credentials are one of the most heavily targeted assets but hackers. If your organization is not restricting these credentials – they should be.
Chase Cunningham made a similar comment, recommending the use of “Role-based access control and least privilege” and encouraging security managers to “Observe and enforce security policies. To define and enforce security policies for role-based access and least privilege usually takes Privileged Access Management (PAM). PAM is the combination of practices and technologies that enable the cybersecurity team to stay on top of which users have the authority to modify existing systems, resetting configurations, deleting accounts and so forth.
PAM offers a path to simplicity and the resulting strong security. PAM is at the heart of simple security controls. Once there are strong controls over privileged users and monitoring of privileged account sessions, it becomes possible to simplify a wide range of related security procedures. For example, if patch management is to be a standard practice, an effective PAM solution will give security staffers the ability to authorize admin users to do the patching. PAM will also track privileged account sessions where patching has taken place, creating an auditable log of patching—all without the addition of other, specialized tools that can complicate matters.
Privileged access management (PAM) offers a simple path to strong security.
Today’s thought leaders wisely recommend simplicity as a means to achieve security. Combining simplicity with a robust security solution is the recommended approach. Privileged Access Management can be a key element in the robust cybersecurity solution you devise to keep things simple and secure.
PAM with WALLIX
WALLIX offers a robust PAM solution that simplifies security throughout organizations. Its modules offer security operations teams the complete visibility and control they need to prevent and detect potential security breaches.
Interested in learning more about the WALLIX solution? Contact us.