Architectural Patterns that Scale for the Customer

New Audiobook Available! Transforming Information Security aims to improve scale for businesses of all sizes.

By: Kathleen Moriarty

The observation, “we are all not that different”, has increasingly been raised in several conversations related to security controls. This is a statement I support and am glad to see this considered in product designs. A shift in thinking is required for vendors to build products that scale for the consumer in order to reduce the distributed administrative burden faced by organizations today. This shift is beginning to take hold and will likely take many shapes as engineers design creative approaches to solve age old problems.

My time as an IETF Security Area Director (March 2014-2018) immersed me in a constant stream of emerging standards – reading 400 pages every other week from individuals and vendors worldwide. That experience crystallized certain observations, ultimately leading to my first book. It became starkly apparent that the industry stood at a critical juncture: we could either embrace a new direction, improving security and ensuring management could scale, or continue down a familiar path of the last thirty-plus years. The most significant takeaway was the unsustainability of the security model where the end customer bears the primary responsibility for configuration and maintenance. While the complete configurability we baked into products back in 1995 might have seemed prudent at the time, I'm not sure any of us fully grasped the downstream impact on resource-constrained organizations. With a smaller internet landscape then, a collaborative spirit among us working in the space reinforced the notion of needing both full configurability and transparency in products and event logs.

Looking back now and to 2020 when "Transforming Information Security" was published, it's clear our long-term vision, particularly regarding the varying security needs and resource levels across different organizations, was limited. The result was a somewhat monolithic, one-size-fits-all approach. This model often sees business-focused products acquired with the implicit expectation of layering on numerous protections to achieve 'defense-in-depth.' Even in the evolution towards zero trust, this layered model persists, with many finding it genuinely difficult to shed those layers even when built-in protections should suffice. We are, after all, in the midst of this very transition, and more time is likely needed to truly build in security to foster greater confidence in the decision to eliminate those legacy layers.

The publication of the book marked a shift for me towards a more mission-driven role, one that resonated deeply with its core ideas. As CTO for the Center for Internet Security, I had the invaluable opportunity to engage directly with hundreds of organizations, including my work with the Multi-State Information Sharing and Analysis Center (MS-ISAC) directors, leading numerous webinars. This period was a genuine gift, allowing me to learn firsthand from representatives of small and medium-sized organizations, gaining a clearer understanding of their pain points and specific requirements. From there, I sought deeper conversations with several organizational leaders to truly grasp their real challenges, the issues that kept them awake at night. This was enlightening and has shaped my current career phase, where I'm focused on helping bridge the unique gap faced by these smaller, resource-limited organizations, tailoring solutions more directly to their needs.

Fortunately, the core principles of "Transforming Information Security" are gaining traction as others also recognized the necessity for real change. The Built-in Security by Design and by Default initiative, spearheaded by CISA and developed collaboratively with a team representing around eight nations, aimed for genuine transformation. Their work to date has been impactful, guiding the industry towards fundamental shifts like reducing or eliminating memory safety vulnerabilities and establishing standards for assessing supply chain assurance. While these crucial efforts are underway, we must also remain mindful of the implementation scale for organizations, as this has the potential to disproportionately affect those with the fewest resources. Industry has picked up some of the themes even though the government requirements have recently been reduced.

Industry Experts Picking Up the Theme of Scale for the Customer

My time at CIS also brought insightful discussions, particularly one with Tony Sager, who astutely observed that the fundamental control requirements within an operating system or application often share significant overlap across different organizations. This realization that organizations are not that far apart led to the development of configuration levels for CIS Benchmarks, marking another positive step to assist organizations with few resources.

Similarly, a conversation with industry experts on a DNS call highlighted that organizational DNS needs aren't as disparate as one might think. The fundamental desire to filter out malicious content, for instance, is nearly universal and can be solved with a common solution.

In other words, these are opportunities where a repeatable solution could be determined and  configured by a small group of experts that has an impact on many. These are examples of architectural patterns that scale for organizations of all sizes and they will continue to expand over the coming years, transforming information security.

Announcement!

SecurityBiaS excited to announce that Kathleen Moriarty’s book is now available in audio format! Beyond gaining an understanding of industry inflection points and need for built-in security, the book is aimed at changing architectural patterns to better scale for customers of all sizes. The book remains very relevant to assist in understanding the big picture for information security and scale to meet diverse market requirements.

Transforming Information Security will be available in multiple audio platforms to ensure ease of access through major platforms as well as through libraries and local bookstores.