Too often, the Information Security group is itself the biggest impediment to delivering information security in the field. There are many factors that got us to this point. From a people standpoint, the majority of security people come from a network and infrastructure background, but the assets and security issues are primarily at the application, data and identity level. Also, we have harmful concepts like "trust" which are confusing and misleading.
Realistically, both of the above issues will be with us for some time (despite my wish for a less trustful 2011), but there's another issue we can attack and get traction on right now - that is the definition of security itself.
There are several problems with how security is defined, it is not a pure concept, rather its an accretion of ideas - some good, some half baked and some that did not have any other logical owner so it got grouped in. And since we don't have a compiler like the programmers, these logical inconsistencies persist and get permeated throughout the organization and architecture.
The first thing to separate in an Infosec team is the Access Control from the Defensive services.
Access Control services deal with Identity and Access Management, and perform authentication, authorization, attribution, provisioning and other services. These are crucial enterprise security services, but they mainly relate to getting people who work for and do business with you the proper credentials, policies and tokens to do so. They do little defend against malice, for that we need...
Defensive Services are services that deliver a Margin of Safety to the enterprise through attack surface reduction, monitoring, encryption and other methods.
The distinction between Identity and Access Management and Defensive services are that the former can be found in functional flows and use cases, the latter are conservative architectural elements and processes for that which is outside the spec.
They are both critical to security architecture, they are both mainly sourced out of the information security team, but other than that they have very little in common with each other. In fact the staffing models, tools, skill sets required and where and how to participate in the SDLC to deliver these two Security service types could not be much different.
There is a third concern which is Enablement, Enablement means optimizing and ideally driving the cost and time to deliver security services down across the enterprise.
The Security Triangle should factor in each of these domains independently finding the way to select tools, staffing model, and optimize for each domain. At the foundation we have Identity & Access which are enterprising services that facilitate flows and transactions, and Defensive services which are conservative services that create a margin of safety. Of course both service types require horsepower to get to market and so Enablement services are all about integration and deployment.
This is a simple model that separates the core concerns of most infosec teams that I have seen and gives a way to create specialty skills, metrics, tools and processes in each domain without conflating concerns.
Comments