A few weeks ago, when I asked, Is Defense in Depth Dead? I used the example of Dover Castle to illustrate the point that, as weapons and warfare change, defensive strategies must also evolve to meet new realities. Dover Castle and other fortresses offered their occupants centuries of effective protection—until the advent of gunpowder and cannon on the battlefields of medieval Europe.
Which is not to say that walls and ramparts are utterly ineffective, only that on their own they are insufficient.
A similar illustration making this point goes back much farther in antiquity. The walls of ancient Babylon were noted for their height (300 feet), thickness (25 feet) and depth (35 feet). Impenetrable in their day, the walls of Babylon were symbolic of the strength of an empire that flourished and even dominated much of the world for centuries. Babylon’s security was dependent on keeping the enemy on the outside of the city, but Babylon’s walls were eventually breached by Cyrus the Great in a stroke of engineering and military genius. (Image from Flickr)
Contrast Babylon with Marrakech, a city surrounded by protective walls as well, but instead of relying on them for its survival Marrakech was a center of commerce that required robust trade. Its walls were, by comparison, porous. Marrakech’s walls were not built high and wide and deep, but with many gates to accommodate the flow of caravans to its markets, and of buyers, sellers and tradesmen in and out of the city.
Babylon represents a pre-cloud philosophy of Defense in Depth—where building an ever thicker, taller and deeper perimeter is tantamount to establishing a sufficient level of security. Defense-in-depth is about adding moats, ramparts and other obstacles to keep crown jewels out of reach.
Marrakech, on the other hand, represents a cloud-era defensive philosophy based on contextual threat intelligence—where determining what constitutes an acceptable level of risk and learning to recognize and respond to true threats is the goal. It’s accepting that enterprises are more complex and that the threats are more insidious.
This is the model that today’s enterprises must embrace. It is the only approach suited to managing security in a computing environment characterized by mobility, accessibility and virtuality. It is the only approach suited for the cloud era.
I recently read in the Wall Street Journal about Time Inc.’s efforts to secure its applications as it pursues a cloud strategy. In the article Keith O’Sullivan, Time’s vice president of global security and Colin Bodell, the company’s chief technology officer, described their approach to cloud security. One comment that stood out to me was O’Sullivan’s statement that, “A lot of technology out there does not map well to the cloud.”
Exactly. Just as Babylon’s walls were no match for the genius of Cyrus the Great, and as the walls of the great Europe castles were no match against cannonade, traditional Defense in Depth in the cloud era is no match against the tools and techniques of the hacker community or state-sponsored cyberwarrior.
O’Sullivan went on to say that Time’s approach to security is determined application-by-application, in recognition that each is architected differently and comes with differing requirements with regard to security and compliance.
Babylon fell because the king and his generals grew complacent with Defense-in-Depth. Often the biggest challenge to enterprise IT security is in overcoming C-suite complacency. Yesterday’s success is not an assurance against tomorrow’s attack. That is why traditional Defense-in-Depth is no longer an adequate approach to IT security. It drains time and resources that can be better applied elsewhere in an enterprise’s security scheme, weakening your security posture. Contextual security that emphasizes behavioral analytics, heuristics and threat intelligence to effect rapid threat detection and containment of both insider threats as well as external attacks is where security needs to be in the cloud era.