Shades of Greynets: The Internet of Secure Things

Everything old is new again. I just read an article about a Cloud Security Alliance project with the US Department of Homeland Security to create “software defined perimeter”tools to stop distributed denial of service attacks. The bigger potential may be to fight data breaches. Amazon continues to add to its ever richer suite of simple services like S3 and SES. Heroku has launched its “Private Spaces” server type which is not publicly accessible.

The pieces are coming together for the Internet of Secure Things.

A return to simplicity

Does anyone talk about DMZs (demilitarized zones) and proxies anymore? In the early days of the Internet, we didn’t just have firewalls, we created electronic airlocks between internal networks and the Internet. Now, we’re making in software what we used to wire with hardware (I assume Cisco and some security startups will be launching “hardware defined perimeter” appliances soon).

Instead of a single DMZ between internal and external networks, companies can establish richer network architectures to protect data and ensure resilience and availability: special purpose servers and network segments that isolate critical data and business functionality to protect against both external hackers and insiders.

Many shades of greynets.

Tinker toy security systems

The devices on these networks are not going to be the every more powerful servers that we’ve become used to seeing and purchasing. Nor are they going to be dedicated security appliances, they are going to be special purpose business tools. Application servers and data stores and other devices that provide business functionality in a secure manner.

If it’s not simple, it’s not secure

A firewall is a smart router with a bad attitude. At its heart, a very simple device. Its security comes from its simplicity. As we’ve moved more and more business online and into software, we’ve just added more and more functionality onto our servers. A deadly corollary to Moore’s Law – every 18 months we’re doubling the number of applications and features that we put on each server.

Complexity is killing security.

You install an update to one application on a server and it changes ports and features that can affect every application. The size and complexity of every application means that even if a vendor could or did make meaningful statements about their own security, the combination and composition of the products can, and does, undermine the security of the entire enterprise.

And you’ll never know.

You can’t spend the time testing every application and service in combination with every other one. Your evaluation work grows exponentially.

It’s time to get simple, not stupid

The price to own, lease or virtualize servers has collapsed. The economic reason that originally drove companies to load up servers with as many applications as possible is no more. The “Internet of Things” is about the plummeting price of “good enough” computing.

Let’s use it to build secure-er systems that are inherently hack resistant.

Ask the Oracle

A first example of a dedicated “security thing” could be an Oracle. Functionally, an Oracle is a server that you ask a question to and it answers it. Ideally something as simple as “yes” or “no”. The operational scenario is the all-too-common password server.

While passwords have long been protected by the use of hash functions, this really was because of the economics of 1970s computing. Today, we could easily have a dedicated server or chip to hold the username/password information in a way that it couldn’t be hacked because the device was too limited.

No more dictionary attacks.

Ask your question, get an answer. No data store to attack. I don’t know about you, but I’m tired of getting notifications about my “protected” passwords getting stolen and that I have to fix their problem.

Credit card verification can work the same way as can other authorization systems.

More secure things to come

There are a lot of types of Tinker Toy parts. Similarly, there a many basic “security things”. We’ll explore them further in the next part of this series. In the meantime, I’d love to hear your thoughts on implementing security through simplicity.

Perhaps it is the Internet of Simple, Secure Things.