Author: Brian A. McHenry / Source: Information Security Buzz
Complexity is the enemy of security. I first heard this truism from an interview with Bruce Schneier way back in 2001. In the years since, infrastructures have only grown more complex. Virtualization in its many forms is a chief contributor to complexity. Containers within hypervisors within clouds within data centers. As we’ve seen the barriers to rapid deployment fall, complexity and sprawl of infrastructures has grown. Application-layer technologies continue to advance, creating vulnerabilities ripe for exploitation. In attempting to combat attacks on these complexity-related vulnerabilities, the complexity problem is worsened by adding one point security solution after another in the data path.
In general, we infosec practitioners have gotten very proficient at network security. The complexity is largely at the application layer, and successful attacks for everything from data breaches to account compromise to DDoS are most often attributed to application layer exploit. Organizations like OWASP and ISSA have done great work in raising visibility around application security. Technologies like web app firewall (WAF), runtime application self protection (RASP), bot detection, and fraud protection have become much more common as a means of enriching and enhancing the security posture of the application code.
Recently, with many cloud platforms (IaaS, PaaS, etc.) providing a great deal of built-in security, and the rise of container-based deployment models, it’s become fashionable to over-simplify the network infrastructure. Network-level security controls such as segmentation and firewalls are taken for granted as adding obstacles to the flexibility of the cloud. While complexity may be the enemy of security, over-simplifying removes security controls that are the foundation of our proficiency at that layer.
Click here to read more