by Aaron Lazenby, April 2014
Although Edward Snowden may get the press, he’s just the tip of the iceberg. That’s what Paul Vallée, founder of Pythian, will be telling attendees at Collaborate 2014 in Las Vegas this week during his session Thou Shalt Not Steal: Securing Your Infrastructure in the Age of Snowden (April 10, 4:15pm). Profit chatted with Vallée about how many IT leaders are already grappling with the growing risk of internal threats—and how air conditioner repair can become an unlikely enterprise IT risk.
Profit: How is the risk of insider security leaks affected by the changing ways teams are structured—including not just privileged users, but also the increased numbers of external people who touch IT systems.
Vallée: There is a proliferation of external vendors having access to networks and every one of them represents a vulnerability.
It's like building a door in a warehouse. It only takes one door to be unlocked before building security is breached. A recent high-profile security breach has been very instructive in that regard—the initial infection vector was an HVAC vendor who had installed some smart air conditioning inside the data center. To do the work, the vendor needed access to the network because they wanted the smart air conditioner to be able to report data and the vendor to be able to respond.
We tend to think that if you secure access to the perimeter of the data center, then what happens in the meeting inside can be unsupervised. But that’s not good enough.
That creates a bit of a Catch-22 because the financial consequences of an incident are high, but at the same time, IT has to install more doors to get the job done. So IT has to integrate with and manage security for more and more service providers.
Profit: Is it fair to say that what you consider infrastructure has evolved well beyond IT infrastructure?
Vallée: Well, everything is IT now. You can't run an apple cart without IT. What we need to create is complete accountability for everything that happens around a data center, and that's where our industry is not up to snuff right now. We tend to think that if you secure access to the perimeter of the data center, then what happens in the meeting inside can be unsupervised. But that’s not good enough.
Profit: You guys have a huge data center with mission critical data and customers, what have you guys learned about managing and scaling access and privilege?
Vallée: One of the things that we've learned is that security is never going to be complete. Security is about managing risk, and so obviously you don't want to be the easiest target. But part of responsible stewardship of valuable systems means knowing how to respond to an incident -- the equivalent of emergency preparedness response. In the event of a security incident, you must know exactly what to do to respond to effectively.
Profit: So in other words, perimeter defense is only one facet of a good plan.
Vallée: You need to approach the problem from different directions, but never with the idea that you are secure. Every system can, in theory, be penetrated. The most common way to penetrate an environment now is through social engineering—vigilance is what stops a lot of these kinds of attacks. And the kinds of supervision technologies that we have invented are really important in terms of deterring and preventing those kinds of social engineering attacks.
Profit: So do you think that — broadly speaking — CIOs or system engineers are not putting the appropriate level of focus on internal threats versus external threats?
Vallée: Well, I would say that what's going on now is that the technology required to supervise internal resources is not really available in the marketplace to the degree that insider threats have broadened. It's not to say that CIOs they don't care about it, it's that they've never had an affordable way to do anything about the fact that they're threatened here.
Profit: What does that level of supervision entail?
Paul Vallée is founder of Pythian.
Vallée: Our company and a couple others are offering this, and if you implement it correctly, you have complete visibility to everything that happens inside your data set. Complete visibility meaning like the ability to reconstruct everybody's screen at any given point in time, so you know exactly what they saw and exactly what they did. That level of accountability is the equivalent of installing security cameras inside a bank.
Profit: It sounds like this is a cultural shift as well, would you describe it that way?
Vallée: Yes. This is the equivalent of the black box in an airplane, which allows investigators to reconstruct the entire sequence of events of an accident. If the sequence of events includes a wrongful act, like the pilot does something illegal, well, then the pilot's accountable. But most of the time, you use this kind of technology to learn, and that’s where CIOs will need to do some cultural change management work. You can use it to improve human reliability, your overall support stance, or to analyze incidents and find training opportunities or better processes to fix the root cause of the incidents.
Aaron Lazenby is editor of Profit.