Complex systems are hard to secure. As computing environments' complexity grows, they become less secure and more vulnerable over time. In this article, I will demonstrate how security is tied to complexity, why increasing complexity of cloud computing environments is inevitable, and the pitfalls of common coping strategies.
First, let's explore why complexity growth is inevitable. Here's a hint for the impatient: It's all about scale.
Scaling the World's Computing
To better understand the challenges of scaling the world's compute systems, we must remember that computing is a collaboration of machines (hardware), applications (software), and humans (peopleware), all of which increase complexity.
Let's start with hardware. Modern computing environments are big — and constantly getting bigger. Organizations with even a small number of employees often command thousands-of-server fleets that come in a variety of form factors — the cloud, on-premises data centers, managed hosting, smart devices, self-driving vehicles, and so on. What drives complexity even further is that cloud environments are elastic; as managing hardware becomes more complicated, so does security.
How about scaling software? As the tech stack grows, so does the list of technologies that must be configured in a typical cloud computing environment before a cloud-native application is deployed. And here's the scary fact: Every software layer comes with its own implementation of encrypted connectivity, client authentication, authorization, and audit, putting pressure on DevOps teams to properly set up these pillars of secure remote access.
And, finally, "peopleware" comes with its own scaling pains. As companies embrace remote work, the idea of controlling employees' computers or relying on a network perimeter becomes less feasible. Moreover, as the tech talent shortage intensifies, companies are forced to operate without having sufficient security expertise on their teams.
But there's no turning back. Hardware, software, and peopleware complexity will continue to grow, ultimately making computing environments more vulnerable.
Common Coping Strategies
How do organizations currently address the resulting security challenges? Unfortunately, most are unable to secure every single technology layer. Some of the most common coping strategies include:
- Reliance on the perimeter: This popular strategy of reducing operational overhead is based on securing only the network boundary using solutions like VPNs. The downside is that once the perimeter is breached, attackers can move laterally, increasing the "blast radius" of a breach.
- Use of shared credentials: This allows organizations to grow their engineering teams without too much overhead because the secure access is based on shared aliases and uses secure vaults to store shared credentials. However, these credentials need to be managed; they can be stolen or accessed by former employees. Case in point: In a recent study of 1,000 DevOps, IT, and security professionals, 83% of respondents said they cannot guarantee that ex-employees can no longer access their infrastructure.
- Good ol' bureaucracy: When nothing else works, implementing manual processes serves as another method to cope with complexity. Not surprisingly, this can negatively affect engineering productivity and drive employees to quit, not to mention invite the creation of personal backdoors into employer infrastructure.
None of these strategies provides sufficient levels of detail for audit purposes. For example, it becomes impossible to tell who dropped a SQL table if the access was performed via a VPN by a user named "dba." Based on the increasing frequency of reported cyber incidents, it's clear these approaches are struggling to minimize the operational overhead of infrastructure.
The cybersecurity community is aware of the problem. And the industry prescription for these problems has become zero trust. Zero trust is not a true solution, but an architectural pattern. It postulates that every computing resource must distrust all clients equally, whether on the internal or external network. Essentially, zero trust declares perimeter-based, network-centric approaches to security as obsolete, and requires every server be configured as if exposed to the Internet.
Organizations built on cloud-native environments are moving toward identity-based access. In this setting, every employee must authenticate into a computing resource as themselves. When combined with a zero-trust principle, the "blast radius" of a compromised account is minimized to a single user and resource.
The scaling of hardware, software, and people has created an ever-growing complexity problem, making computing environments less secure. To combat this, the industry must prioritize the consolidation of all remote access protocols under a single-solution umbrella, so that identity-based authentication can negate the need for perimeter-based, network-centric access solutions. If we execute on these initiatives swiftly enough, government involvement may not be necessary.