My wife showed me a really cool video today summarizing a lot of pretty heavy information about COVID-19. If you don’t want to read the rest of today’s email and simply watch the video, that’s fine. I think it’s excellent, and we can talk about more security stuff tomorrow.
Otherwise, let’s get on with it.
There’s a lot you can learn from this video on so many levels—not the least of which is how to turn 31 A4 pages of reference materials into an 8 and a half minute video. Because the purpose of what we need to do in security is to summarize, explain, inform, educate, and provide plausible confidence that we understand what we’re doing and things are under control. Or, if they aren’t, that we know how much not under control they happen to be, and, oh, by the way…
…here’s our plan for sorting it out.
Now, having warped my brain over the last 14 years to see the world through the lens of the core SABSA concepts, one of the first things that jumped out at me when I watched this – which, admittedly had been brewing in the back of my brain for a couple of days now – is what lead to the subject of today’s email.
I’ve talked about this before a couple of times in the last 6 months or so, but one of the reasons I think it’s so easy for security people to get divorced from the organizations we protect is that, when you tear away all the rest of it, at the end of the day, all we really have in our arsenal are two very closely related things:
- Awareness of the threats we face, and
- The access control mechanisms we have available.
And our goal in all this is pretty binary: keep the bad things “outside” through well-considered control implementations.
Sure, it gets all complicated and nuanced and we often do a really bad job of identifying the boundaries that are important because our thinking is limited by the resources, technology and information we have available to us. But, those two factors are what matter most.
Unfortunately, we tend to take a pretty technology-centric view of both of those factors, and then we slip into the “more is better” mantra that gets us into trouble because the degree of “locked-ness” is generally the inverse of the degree of usability. And when we fail to vamp on those two things sufficiently to understand the context and capabilities we have in the big picture to deal with the minutiae of the individual machines, that’s were we lose our way and start earning our bad reputation of Security as Killjoy the Business Blocker.
So, back to the video. At about 50 seconds in, it starts talking about how the coronavirus spreads, and unless you’ve been under a rock, that is generally through droplets containing he virus escaping from an infected person and coming in contact with a non-infected person.
Normally, this is through the exchange of bodily fluids like spit, snot, and mucus expelled through sneezing, coughing…or, like the mask-wearing asshat on the tube now with a warrant out for his arrest, by smearing your spit on the hand rails of the metro. Of course, I’m guessing the excretions of the arse end of the ape are also likely conduits for transmission since these have been proven to be the case in the past.
The problem we need to solve for avoiding the transmission of the coronavirus is actually the same problem we need to solve in our more mundane – and decidedly less pandemic-y – day-to-day security work. We have to understand the context, we need to build an architecture to help us understand what our exposure really is, and then we need to apply a set of available controls to prevent those risks from materializing.
And we can do all this with SABSA domains and the basic rules you get from The Blue Book or Foundation.
Two independent domains represent the two bodies. One’s infected, and one isn’t.
According to the laws of domains, each independent domain manages its own access control through the domain boundary. In our case, we have 3 main gateways to worry about:
- The eyes
- The nose, and
- The mouth.
However, one of the “features” of the domain boundary that is our body is that we have these two appendages that move around the place—our hands. So we can almost think of them as a communication service between the outside world and inside our domain (body). The environment in which the two humans interact is a containing superdomain, and it too has some communications services like air that allow information to pass between elements in it.
So the most direct potential controls you can apply to manage the access between what’s outside and inside your domain of interest (our body) is to directly and explicitly manage the ability of the air to interact with those explicit service interfaces we expose through our eyes, nose and mouth. That means:
We wear goggles or glasses to cover our eyes.
We wear a mask to cover our nose and mouth.
And if we do this, we’re effectively managing the interaction between those two domains—assuming we’ve selected the right control vendors that actually deliver our requirements.
However…our customer (us) says that this set of controls is too restrictive for whatever they want to do—like maybe eat something.
So, we need to take a step back and re-evaluate our options. We understand our environment, we’ve mapped out the domains, and we’ve established some boundaries.
Once we’ve done this, we can see what other kinds of options and constraints we can twiddle to see how well we can meet the needs of our customer.
So “social distancing” with 1m between people who are coughing and sneezing. That’s a potential control, but it’s not one we can always directly manage. This is fine, because it’s the #2 of the things we ultimately have to work with. However, if we fail to completely understand #1 and how they interact with our ability to manage #2, we could easily find ourselves relying on our “social distancing” control right up to the point where we hop onto the tube and end up inadvertently massaging someone’s prostrate with our laptop bag.
If we can’t reliably manage those controls, and the most direct controls aren’t acceptable to the customer, then we need to find another way. We can secure the communications channel we manage between the outside world and the inside by:
Washing our hands—a lot, and using sanitizer where we can (assuming you can find any)
Avoiding touching our primary service interfaces of our eyes, nose and mouth with our hands.
However, in relying on those controls, we need to understand that we’re actually asking people to change their behavior—just like we are with social distancing…
…and just like we are with many of our organizational security controls.
And, psychology says…behavior change is hard.
Recognizing this, we bring in bigger guns, in an even wider context:
And when that doesn’t work, we enforce quarantine—maybe like the €30,000 fines like in Spain.
And when that doesn’t work (or maybe as an attempt to prevent that from being necessary), we draw more boxes at the local, territory and national level where we try and enforce our access control mechanisms at each boundary we either physically or logically create.
I could go on, but I think you get the idea here.
One of the reasons we’re failing to manage this pandemic isn’t because we weren’t ready with our BC/DR plans. It’s because we didn’t think through the problem. And, given that we’re working in a global network of siloed decision-making down to ultimately each individual living on the planet…
…thinking we can keep everyone safe without a model…dare I say an architecture…that was well defined, clearly communicated and consistently used to coordinate an objective and reasonable response…
…makes about as much sense as trying to do security in our organizations solely based on “best practices”, foxy frameworks and standardized controls sprinkled around the place like toilet paper the morning after Halloween.
Without structure to our thinking – and without a way to document and communicate the structure behind our thinking – there’s only one outcome:
My hope is that we’re going to learn from this, and we’re going to be able to understand and analyze after the fact how everything is connected, and everything fits together in this complex, globally-interconnected world we live in today.
At the very least, I hope it underscores the importance of actually understanding the architectures you have in your organization. Because without that understanding, you’re worse than flying blind. Far too often, all you can do is guess.
What I want you to take away from today’s email – which admittedly ended up being a bit heavier than I’d originally intended – is simply this: everything has an architecture. It’s the degree to which you understand what that architecture is and how its elements interact that determines how successful you’ll ultimately be in getting what you want—whether that’s managing a global pandemic or simply being able to continue delighting your customers.
If you want to think more deeply about this and how you’re doing it in your organization, I might be able to help. I’ve no idea, because there’s too many variables that, right now, I couldn’t begin to guess. What I do know is that I’ve been able to do it for other people, both large and small, for the last several years. If you want to talk about it, here’s the link to make that happen:
This stuff we’re going through right now is pretty serious, and not everyone is taking it as seriously as they should—especially depending on where in the world you actually are. And, much like our own, isolated world of information and cybersecurity, you won’t often know you’ve been impacted until it’s already happened.
However, in this case, we do know what to do—as long as we pay attention to what’s happening around us. And we know it works. We just need to make it happen.
And stay safe,
Andrew S. Townley
Archistry Chief Executive
1. This video is called The Coronavirus Explained & What You Should Do, and it was produced by a group called Kurzgesagt, which is German for “In a Nutshell”. The video itself is here: https://www.youtube.com/watch?v=BtN-goy9VOY and the research behind it is here: https://sites.google.com/view/sourcescorona/startseite?authuser=0. I think it’s worth 8 minutes and 34 seconds of your time to watch—even if it tells you stuff you probably already know.