It's not the destination, it's the journey, stupid.
You can't go a day without reading from the peanut gallery that it is "...inevitable that network security will eventually be subsumed into the network fabric." I'm not picking on Rothman specifically, but he's been banging this drum loudly of late.
For such a far-reaching, profound and prophetic statement, claims like these are strangely myopic and inaccurate..and then they're exactly right.
Firstly, it's sort of silly and obvious to trumpet that "network security" will end up in the "network." Duh. What's really meant is that "information security" will end up in the network, but that's sort of goofy, too. You'll even hear that "host-based security" will end up in the network...so let's just say that what's being angled at here is that security will end up in the network.
These statements are often framed within a temporal bracket
that simply ignores the bigger picture and reads like a eulogy. The reality is that historically
we have come to accept that security and technology are
cyclic and yet we continue to witness these terminal predictions defining an end state for security that has never arrived and never will.
Let me make plain my point: there is no final resting place for where and how security will "end up."
I'm visual, so let's reference a very basic representation of my point. This graph represents the cyclic transition over time of where and how we invest in security.
We ultimately transition between host-based security, information-centric security and network security over time.
We do this little
shuffle based upon the effectiveness and maturity of technology,
economics, cultural, societal and regulatory issues and the effects of disruptive innovation. In reality, this
isn't a smooth sine wave at all, it's actually more a classic dampened
oscillation ala the punctuated equilibrium theory I've spoken about
before, but it's easier to visualize this way.
Our investment strategy and where security is seen as being "positioned" reverses direction over time and continues ad infinitum. This has proven itself time and time again yet we continue to be wowed by the prophetic utterances of people who on the one hand talk about these never-ending cycles and yet on the other pretend they don't exist by claiming the "death" of one approach over another.
To answer that let's take a look at how the cyclic pendulum effect of our focus on security trends from the host to the information to the network and back again by analyzing the graph above.
- If we take a look at the arbitrary "starting" point indicated by the "You Are Here" dot on the sine wave above, I suggest that over the last 2-3 years or so we've actually headed away from the network as the source of all things security.
There are lots of reasons for this; economic, ideological, technological, regulatory and cultural. If you want to learn more about this, check out my posts on how disruptive Innovation fuels strategic transience.
In short, the network has not been able to (and never will) deliver the efficacy, capabilities or cost-effectiveness desired to secure us from evil, so instead we look at actually securing the information itself. The security industry messaging of late is certainly bearing testimony to that fact. Check out this year's RSA conference...
- As we focus then on information centricity, we see the resurgence of ERM, governance and compliance come into focus. As policies proliferate, we realize that this is really hard and we don't have effective and ubiquitous data
classification, policy affinity and heterogeneous enforcement capabilities. We shake our heads at the ineffectiveness of the technology we have and hear the cries of pundits everywhere that we need to focus on the things that really matter...
In order to ensure that we effectively classify data at the point of creation, we recognize that we can't do this automagically and we don't have standardized schemas or metadata across structured and unstructured data, so we'll look at each other, scratch our heads and conclude that the applications and operating systems need modification to force fit policy, classification and enforcement.
- Now that we have the concept of policies and classification, we need the teeth to ensure it, so we start to overlay emerging technology solutions on the host in applications and via the OS's that are unfortunately non-transparent and affect the users and their ability to get their work done. This becomes labeled as a speed bump and we grapple with how to make this less impacting on the business since security has now slowed things down and we still have breaches because users have found creative ways of bypassing technology constraints in the name of agility and efficiency...
- At this point, the network catches up in its ability to process closer to "line
speed," and some of the data classification functionality from the host commoditizes into the "network" -- which by then is as much in the form of appliances as it is routers and switches -- and always
will be. So as we round this upturn focusing again on being "information centric," with the help of technology, we seek to use our network investment to offset impact on our users.
- Ultimately, we get the latest round of "next generation" network solutions which promise to deliver us from our woes, but as we "pass go and collect $200" we realize we're really at the same point we were at point #1.
'Round and 'round we go.
So, there's no end state. It's a continuum. The budget and operational elements of who "owns" security and where it's implemented simply follow the same curve. Throw in disruptive innovation such as virtualization, and the entire concept of the "host" and the "network" morphs and we simply realize that it's a shift in period on the same graph.
So all this pontification that it is "...inevitable that network security will eventually be subsumed into the network fabric" is only as accurate as what phase of the graph you reckon you're on. Depending upon how many periods you've experienced, it's easy to see how some who have not seen these changes come and go could be fooled into not being able to see the forest for the trees.
Here's the reality we actually already know and should not come to you as a surprise if you've been reading my blog: we will always need a blended investment in technology, people and process in order to manage our risk effectively. From a technology perspective, some of this will take the form of controls embedded in the information itself, some will come from the OS and applications and some will come from the network.
Anyone who tells you differently has something to sell you or simply needs a towel for the back of his or her ears...