There's no question, we're at an inflection point in the digitization of our world. In every domain and dimension, the substitution of digital for analog is racing ahead.
A couple recent examples illustrate the power of this trend.
- Over the weekend, The New York Times carried a long piece on the new wave of faster, more nimble robots transforming manufacturing. The sotto voce theme of the article: Manufacturing may be about to explode in productivity, but employment in the sector may be decimated. These robots are capable of much more agile interaction with the environment and can now be applied to areas where previously only humans had the deftness to do detailed work.
- The arrival of self-driving cars is definitely on the horizon. I was driving along the freeway last week and saw the car below in the next lane. While many discussions of self-driving cars have focused on potential drawbacks—How will they respond to confusing environments like busy city streets? How will liability be assigned when no human is driving?—the benefits are quite obvious. I expect that there will be rapid transformation of our notion of auto transportation over the next decade.
"Big Security" More Than Slapping Existing Products on New Paradigm
The underlying impetus of these examples is that computing is breaking free of the data center and is being distributed throughout the environment. A corollary to this driver is the enormous amount of data that is being generated by this new world—so much, of course, that the term "big data" has been coined to describe the general phenomena of both the cascade of information bits and the solutions that have been created to analyze them.
Of course, another term that reflects a different aspect of this transformation is cloud computing—the movement of computing from corporate data centers to, well, somewhere else. The growth of the computing capacity of the large cloud service providers is remarkable, with every week bringing yet another mega-data center announcement.
My sense is that this trend is moving much more rapidly than anyone recognizes, and that organizations are embedding cloud computing and big data into their environments quite quickly. The scale of the adoption, though, is going unremarked because the efforts are being implemented on a piecemeal basis. Individually, they are interesting; in aggregate, they are remarkable.
One of the biggest challenges of this transformation, in my view, is the outstripping of the IT capabilities necessary to manage this new environment. Essentially, manual procedures are confronting a world too massive to manage the old way and, much like Lucille Ball and the chocolate factory, they are being overrun by scale. (Just to be clear, this is not an IT jeremiad. Rather, it is a questioning of our current solutions to a new scale of challenge.)
Security ranks among the most common concerns about cloud computing. Survey after survey cites concern about the security of cloud providers as a main inhibitor to adoption—although, as I just noted, adoption is proceeding apace and, in my experience, accelerating despite this concern.
Unfortunately, most of the solutions I've seen seem to center on applying existing manual solutions to the cloud environment. In effect, the desire is to address security by impeding the move to automation and forcing it to follow the established procedures. For the reasons outlined above, this is likely to be unsuccessful and will lead to security being bypassed, or, even worse, applied in the form of a Band-Aid version of the old solutions with the hope that they will suffice.
The 6 Key Characteristics of Big Security
I firmly believe that a new approach—a complete rethink of the topic—is required, with new solutions (and processes) developed to deal with cloud computing. It's something that might be termed "big security."
What would such a thing look like? Put another way: What are the key characteristics associated with "big security?" Here are some thoughts.
Developed into products, not bolted on later. For sure, in this new world, for security to have a chance of success, it must be part of the environment and application, not a separate product and process bolted on later in a security review. Just as DevOps has resulted in operations being integrated into the application, so, too, must security be infused throughout every element of the application, from initial user contact to data integrity checking through to fraud detection.
Integrated. This may be a pipe dream, but the security solution should be integrated. In other words, it should be a single solution that can be implemented, not a variety of solutions—even if they're provided by a single vendor in what I call Frankenstein solutions. End users are overwhelmed by the level of expertise necessary to install and integrate disparate solutions. When I read about systems being compromised because end users did not properly configure or update their systems, the evidence is plain.
Scalable. I've already mentioned this, but the entire IT industry, myself included, vastly underestimate the scale we will confront in the near future. Look at the automobile. While many (including me, again) point to the transformation wrought by mass production, far fewer consider the way automobiles have transformed our lives and come to dominate our society. They've scaled well beyond what anyone might have imagined when the mass production of Fordism first came onto the scene.
In the future, security will need to work in an environment hundreds (yes, hundreds) of times larger than previously seen—nd that environment will sprawl throughout the world. Part of it will be what Dave Asprey calls the ambient cloud. It will also be distributed application environments connecting back to data collection and analytics hubs such as Nike+ FuelBand, which essentially turns the human body into a networked domain. (Regarding this environment, I have been powerfully affected by three books I've recently read—Daniel Suarez's Kill Decision, and Avogadro Corp. and A.I. Apocalypse by William Hertling—which use the thriller fiction form to depict a very-near, very convincing world of mass processing, connectivity and data.)
Certainly this IT environment is well beyond what today's security solutions address or can even envision. A whole new generation of security products is needed to meet this coming IT world.
Automated. It goes without saying that this new security environment must be automated—that security solutions must be installed onto cloud instances and into programs without the need for manual intervention.
That's not enough. In the future, we'll need to be able to subscribe to security services that can analyze an environment, calculate what security measures need to be applied and automatically implement them. Just as manufacturing has outstripped human's ability to perform the same functions manually (think chip manufacturing), so too will information system security outstrip human ability to comprehend the environment's complexity.
The very human tendency to insist upon and only trust that which has been evaluated and implemented by a manual configuration will be overwhelmed by the scale of the need. Those who remain committed to manual security practices will find themselves vulnerable.
Learning. Of course, the security system will need to constantly evaluate what kind of interaction is going on in the environment and applications it is monitoring and tune its behavior accordingly. Again, waiting for humans to examine, comprehend and configure new practices just won't work in this environment. Lest you think this couldn't happen, look at credit card rating and fraud systems. That's all artificial intelligence, with reactions based on the system tracking behavior and modifying its rules as more behavioral data accumulates.
Policy-based, not configuration-based. The role of security administrators will be to define the appropriate security stance of the organization for which they work, capture it in policy and make those policy rules available to the security system. Trying to modify thousands of configuration settings manually will be well beyond anyone's competence. We will need to look to humans to define the desired outcomes and leave the method by which those outcomes are accomplished to the security software.
Again, one of the most pressing issues regarding this will be the very human temptation to check on the system's configuration decisions. Should someone intervene in the security configuration process, the likely outcome will be a reduction in overall security.
Naturally, most people's reaction to the ideas discussed here will be disbelief. Most will dismiss it as unrealistic, or too riven with problems both technical and cultural, to ever come about. On the other hand, if you had told almost anyone a decade ago that autonomous cars would be driving around in 2012, people would have laughed at you. Now driverless cars are legal in Nevada. The lesson here: This is moving much more quickly than anyone can imagine, and "big security" is in fact on the horizon.
Bernard Golden is the vice president of Enterprise Solutions for enStratus Networks, a cloud management software company. He is the author of three books on virtualization and cloud computing, including "Virtualization for Dummies." Follow Bernard Golden on Twitter @bernardgolden.