Over the last few years my brain has made a transition from the day to day transactional “fire fighting” mindset to more of strategic “fire prevention” line of thinking. More and more I’ve noticed that many of my most useful thoughts and ideas have come to me while engaging in activities that have absolutely nothing to do with technology or my job. I’ve been able to solve complex issues that I’ve been stuck on, create new processes, figure out how to help close a deal, or even realize a new gap or need for my clients all while watching a movie, taking a shower , laying in bed, or performing any other day to day life activity. My latest theory on IT Security came to me watching while watching the movie “The Da Vinci Code”.
“Forget about keeping thieves out, now we keep them in.”
These words were spoken by Captain Fache of the French Police to Professor Robert Langton (Tom Hanks) while walking in the halls of the Louvre Museum (Paris) in one of the beginning scenes. For those that have not seen this movie, Langton was summoned by Fache to help him investigate the murder of Jacques Saunière, Curator of the museum and while walking through the halls to get to the crime scene Langton observes some security cameras mounted on the walls and asks Fache:
“Are any of those real?” (Pointing and referring to the surveillance cameras)
“Of course not!” Says Fache
Langdon (Hanks) was not surprised. Video surveillance in museums this size was cost-prohibitive and ineffective. With the Luvre being one of the largest buildings in the Continent, the Louvre would require many technicians simply to monitor the feeds, not to mention all of the other overhead such as human error.
This scene really made me think heavily on how many in the industry might be driving down the wrong road when it comes to their IT Security strategy. These days, the typical approach of products related to IT Security seem to be aligned with the notion to add more “surveillance cameras” or keeping the threat out.. Just look at the waves of Intrusion Detection/Prevention technologies that have flooded themselves into the market. After some research I found a few articles like this which confirm the enormous amount of money ($50+ billion) that companies are spending on IT Security by implementing solutions as new vulnerabilities are discovered. The problems is that breaches are actually rising and the typical approach of bolting on “cameras” and other surveillance products don’t seem to be working, especially since many of them still rely on the human factor and also from the shear size and complexities of the modern day networks. As an example, one of my Hedge Fund Clients went with $40K a year solution from one of the most respected Security firms in the industry to actively monitor their internal/external network only to have sample data loss scenarios missed multiple times on different occasions by this vendor. The companies’ response? “We are very sorry, we are working to improve <Insert Broken Human Reliant Process Here….”> As you can see the “bolt on” security product to fill this hole method isn’t working, I’m not saying these solutions are completely useless as I believe in multiple layers of defense, I’m just saying that their might be alternative approaches out there right under our noses.
Getting back to the story, Captain Fache described the “containment” (or sometimes called Sandboxing in IT) strategy that the museum uses. Their goal is to trap the criminals inside, as soon as any critical art is tampered with paths are then blocked by bars that come out of the floor and ceiling. If the thief can’t exit the museum with the valuables nothing is lost and this also equates to a very effective deterrent factor. Now, how can we translate this model into our world?
This is where I started to think of different methods and performed some more research for any vendors that have worked on a containerized approach for IT Security I started to remember the Good Technologies and other MDM vendors have done this for mobile devices. I then started researching for similar things on the desktop side. My theory was simple, internal users are usually the worse offenders, they plug in rogue USB drives, they open up attachments that have viruses, they click a link that should not be clicked, etc etc – and funny enough most IT Admins sometimes are worse than the users. For data to leave the enterprise it needs to have Internet connectivity so it can get out of the network with the valuables and into the hands of the thieves, in regards to IT Security you can possibly consider the Internet as Public Enemy #1. If we could somehow in a convenient and transparent manner segregate a user’s desktop into a Public/Private model that just might work. The “Public” Desktop is where the user could perform any activities that relate to Internet activity, at no time can Enterprise data sit on this machine nor will it have access to internal critical company resources. The “Private” desktop is where all corporate data would be accessed from. If somehow the “Private” desktop were to become infected (USB virus, etc) there is a much less change that data can walk out of the network since there is no Internet access on this machine. That is where we “Keep the Thieves In“!
After more research I found that this concept has been implemented in the military but in a more bloated way that would never be accepted in a typical company. If you look up a picture of a high ranking Military person at their desk, you will see multiple machines at their disposal for different tasks. Some even have up to 5 different machines to use depending on the sensitivity of data being accessed. Obviously, the last thing we would want to do is deploy multiple desktops to the user, that would be a complete nightmare! Maybe we can leverage existing technology such as Citrix XenDesktop or VMware Horizon View to ease the pain and overhead. The user could have their Public desktop sitting at their desk but if they want to get onto their “Private” desktop all that would have to be done is to click the shortcut on the desktop and in a few seconds have their secured, containerized Private Desktop ready to service them.
There are many different ways to set this up but the primary goal of this post was to break ground on this deep rabbit hole to see how viable this theory could be. If we make a small sacrifice we may be able to stop the ascend and even decrease the number of breaches and data loss that is occurring every day. I think Virtual Desktops and other emerging technologies can help on the convenience side and make this model much more seamless and cost effective for firms and doesn’t necessarily have to be deployed this company wide, this can just be implemented in the most critical departments. Other products such as Unisys’ Stealth seem to be taking this model and putting it on steroids by encrypting and containerizing data at the packet level but with a very heavy cost since it is not a widely deployed technology. With the media putting the spotlight on large breaches and with the every day virus’ encountered by the consumer, Security is something that will always be in the discussion no matter which position in you hold in IT. The bad guys are lurking through your Network’s windows and doors 24×7 looking for new ways to get in, and that forces us to think out of the box in unconventional ways – but just like real life when it comes to Security there is always a balancing act between protection and convenience.
-Justin Vashisht (3cVguy)