Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Chris Nelson
Chris Nelson
Connect Directly
E-Mail vvv

What Slugs in a Garden Can Teach Us About Security

Design principles observed in nature serve as a valuable model to improve organizations' security approaches.

Next year marks the 40th anniversary of a book that changed the world: Bill Mollison and David Homgren's Permaculture One, which described a set of agricultural and social design principles that mimic the relationships found in nature.

"In practice, permaculture is a growing and influential movement that runs deep beneath sustainable farming and urban food gardening," Michael Tortorello wrote in The New York Times. "You can find permaculturists setting up worm trays and bee boxes, aquaponics ponds and chicken roosts, composting toilets and rain barrels, solar panels and earth houses."

What does this have to do with information security? I believe there's remarkable synchronicity between permaculture and security and that the use of design principles observed in natural ecosystems can serve as a valuable model to improve organizations' approaches to security.

Think about the challenges of protecting an enterprise: lack of resources (people, technology, budget, or any combination thereof), competing priorities, balancing compliance requirements and business needs, awareness and training, enforcing policies and standards. 

It's an environment well-suited for the application of permaculture principles, which focus on harmonious integration — working with, rather than against, nature — and embracing collaboration over competition. Permaculture, a portmanteau of "permanent agriculture," embraces three basic ethics: care of the Earth (or, in this case, the system), care of people, and reinvestment of the surplus.

These three ethics guide 12 design principles that can be as useful in setting up and administering security systems as in agriculture, but we don't need to go that deep in the weeds here (pun intended).

It's also useful to think about the six permaculture zones and how they can be used to prioritize work. Permaculture zones are used to organize design elements based on frequency of use or need. The lowest number (0) denotes the most frequently touched, while the highest (5) is equivalent to wild land, requiring no human effort to produce anything.

How do security concepts line up with this zoned approach? For the purpose of illustration, let's assume the following: You receive 25 to 50 alerts from your intrusion detection system (IDS) per day. You update your malware system or respond to alerts 10 times per week. You review VPN logs once a day. And you deploy code once per day, with integrated static code analysis.

Using this information, you can begin to align your tools with specific zones: IDS is in Zone 1 because these alerts happen frequently and are a strong indicator of compromise but don't involve much interaction time. Malware issues have a pattern similar to IDS alerts, but the incidents are less frequent, pushing them out to Zone 2. VPN log reviews and static code analyses fall into Zone 3, thanks to less-frequent occurrences but a need for greater human intervention during such occurrences.

These are not hard-and-fast rules. If you do multiple code commits per day, for example, static code analysis would fall into a lower-numbered zone. Essentially, zone alignment is based on the number of times you need to touch the security control. It's a great way to begin the application of the design principle — from patterns to details.

Some additional practical applications of permaculture in security:

The problem is the solution. Slugs are a problem in the garden. But if you add ducks, the slugs become a food source for them. And then the ducks provide eggs. In technology, an equivalent might be the training opportunities that arise when software developers deliver code that has vulnerabilities. By identifying vulnerabilities committed at an individual developer level, you can then tailor specific training material toward that user. This reduces the burden on the whole team, because they avoid mandatory training on material for which they've already demonstrated competence. This is a challenging concept for some people — whether something is positive or negative is entirely determined by how you view it.

Get the most benefit from the least change. In the physical world, a dam site might be chosen because it delivers the most water in relation to the least amount of earth that has to be moved. In the IT security world, an equivalent goal might be to remove admin rights from workstations, thereby immediately dropping the percentage of malware infections. This is a single action that can have a far-reaching positive effect on an entire organization.

Seeking order yields energy. Disorder consumes energy to no useful purpose, whereas order and harmony free up energy for other uses. By embedding operations staff into development teams, for example, you can avoid inefficiencies caused by engineers attempting to simultaneously manage systems while writing code.

Learn to harness natural cycles. Every cyclical event increases the opportunity for yield. Consider the software development life cycle and the plan-build-run model: both are examples of technological cycles that can make identification of IT security defects easier by coupling different tools to disparate stages.

Permitted and forced functions. Key system elements may supply many functions. However, if you force too many functions onto an element, it will buckle under the weight. Order is achieved by balancing simplicity and complexity.

Work with nature rather than against it. Pesticides destroy beneficial as well as destructive insects; the following year brings an explosion of pests because there aren't any predators to control them. If your security controls cause inconvenience to your users, they'll bypass them. When we build IT security policies and controls that function within the flow of the organization, enhanced security is the natural outcome.

Despite our many attempts to disrupt her, Mother Nature has been managing the world pretty efficiently for many millions of years. Permaculture reminds us to listen to what she tells us and apply this insight across every aspect of our lives. The lessons for information security are dramatic.

Related Content:

As Senior Director of Security and IT at Distil Networks, Chris Nelson leads the security and compliance initiatives across the organization by the use of permaculture for design of policy, standards, audit, and risk assessment. He works with customers, partners, and internal ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Latest Comment: Exactly
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-21
Inappropriate implementation in permissions in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of a permission dialog via a crafted HTML page.
PUBLISHED: 2020-09-21
Inappropriate implementation in Omnibox in Google Chrome on iOS prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
PUBLISHED: 2020-09-21
Insufficient policy enforcement in media in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
PUBLISHED: 2020-09-21
Insufficient validation of untrusted input in command line handling in Google Chrome on Windows prior to 85.0.4183.83 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
PUBLISHED: 2020-09-21
Insufficient policy enforcement in intent handling in Google Chrome on Android prior to 85.0.4183.83 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.