Is Technology Getting Too Complicated For Security To Keep Up?

Apr 9, 2012

I've always wondered if there will come a time when our interconnected world becomes so complex it turns sentient.

Oh wait, that's a movie plot. I meant to say that things get so complex that we can't figure out how to keep them secure any more. That's not as interesting a plot but far more likely to happen, if it hasn't already.

In the old days before credit card numbers and the internet existed you had to actually go to a bank and point a gun at a teller and generally all you could get was a bag full of money. Security generally involved a gun-toting guard a donut shy of a hundred dozen. Today there are millions of people on the internet looking for any tiny crack in your systems hoping to snag millions of credit cards, personal identity data or company or government secrets. This isn't your great great grandfather's old west anymore.

Today it's not just about your web site but all your client applications, your back office systems, desktop and portable devices, flash drives and cloud environments. Companies often have connections not just to customers but to suppliers, services, analytics and cloud servers. Your data comes from everywhere and goes everywhere, while existing everywhere at once. Somehow someone needs to understand where everything is and what it touches and who has access to it even in a wildly dynamic world.

It must really suck to be a security chief: no one knows who you are and what you do until 5000 web authors point out how stupid you were. Even with all the security breaches and hacked systems you see read about every day I imagine far more are never reported.

The problem with securing a complex connected company is that there are so many touch points to keep track of that it is easy to miss a single one. A recent theft of a large number of SS numbers and other personal information from a government Medicaid office happened because a single server was not configured correctly. One mistake and the masses that search the internet for a hole pounced and all the possibly excellent security (I don't know but they did sound like they had a plan) may as well have been a donut munching stereotype. That's what makes security so challenging: one error is enough to screw up everything.

An enduring but common metaphor, that a chain is only as strong as its weakest link, remains a good description of why security is so hard. A tired programmer, a manager trying to impress, a poor QA person, a bug in a script or even a wrong button push can kill even the best designed security plan. Now throw more and more complexity in a highly heterogeneous environment and it becomes impossible to actually understand how every works sufficiently to keep out the bad guys or even protect against accidental problems. Add in enormous cost for security and pressure to build the business fast in this high speed world and now proper security has to compete with sales and profits.

What we have now and will only get more of in the future is too many features backed by too little security.

The group I work for has several clients and a suite of web services; the parent entity has web services and caches, databases and data suppliers; its parent entity has more of the same plus mainframe systems which have many layers of services and systems, data suppliers and consumers. When I make a web service call I have no clue many layers of systems are getting called and updated and where the data even lives. Travel is a mind-numbingly complicated mess. Does anyone know where everything is and how it all works together? I don't think it's even possible. Now consider something like the US Defense Department which is orders of magnitude more complicated and protects nation secrets and nuclear weapons instead of seats on a plane. Everyone wants some of that, and it's protected by sub-sub-sub-contractors.

One of my favorite quotes is "If builders built buildings the way programmers wrote programs, then the first woodpecker that came along would destroy civilization". If a single program can be hard to harden, imagine how hard an entire company set of systems can be to protect, or even an entire country set of company and government systems. The Stuxnet attack on Iranian nuclear systems continues to be a great research problem and likely harbinger of what the ever more complex future is likely to bring.

In the early days of interconnections between systems passwords were even required. Today you have to consider everything as being a possible attack vector. It's not enough to protect against "hackers" broaching your website. Threats can come from anywhere and often come from inside.

I worked for a healthcare company where I found that the production server and database passwords were stored in text file in the code repository, and half the company knew what they were. When I brought this up to the CTO how easy it would be for someone who worked there to steal data, he remarked that "we trust our employees". I wouldn't trust myself with valuable data much less hundreds of random employees and contractors. The bank robber of yesteryear is now sitting in front of a computer attacking your systems, getting a job at your company or even paying someone to saw a hole in your floor. Trying to keep everything functioning and in control is hard expensive work.

If it's hard today imagine 10 years in the future. As our systems get more and more interconnected and data becomes more and more valuable stealing, breaking and denying access will become easier to do and more and more people will find it tempting to get involved. I really do wonder if we can keep things secure anymore. I have no doubt that more and more breaches will occur, whether we hear about them or not. Even today you hear how desperately companies try to hide security lapses and how a single successful attack can slow down or even destroy a business. How imagine this happening every day in public and you wonder at what point people will become wary of technological progress.

There's a woodpecker out there waiting for our rapidly advancing technology and I think we might soon reach a point where we might really wonder if it will come crashing down. There aren't, after all, an infinite number of credit card numbers, an endless amount of money, or lots of spare nuclear missile launch codes that we can afford to lose.

Security really should be job one: if it isn't now it better soon be. You can pay for it now or lose it all later.