The home analogy – security redefined for the hybrid world

Let’s roll back the time machine a century. Imagine you were a rich individual and you had a huge home with assets that needed protection. What was your recourse? Hire macho security guards with stern faces to ward off miscreants. Slowly the human guards gave way to padlocks, combination locks etc. And then the advent of the home security system – independent and isolated. And towards the latter part of the century, integrated systems with a wired or wireless backhaul to a central command. That then evolved into more sophisticated perimeter security with cameras, motion detectors etc.

But even in the face of such dramatic changes in home security, one principle has remained steady. It is all about the perimeter. Secure the entrance and exits and you are safe.

Which is somewhat surprising and naive, since the increasingly connected home of today – be it your connected thermometer, refrigerator, TV, vacuum (yes remember Roomba from iRobot), Alexa etc. the home security needs to encompass the security of these systems as well. Furthermore, unlike the venerable physical security systems which operated independently, these connected devices establish peer-to-peer links for a more pleasurable and efficient experience – at least that’s the market promise.

Case in point. Your connected mattress signals the coffee-maker that her mistress has woken up and the connected tooth-brush dictates to the connected microwave to start boiling the egg. It isn’t as fictional as it sounds.

And unlike the relatively immutable exterior and interior security of the house, these systems are collecting a ton of information consistently as well are being updated themselves from a software perspective which makes protecting them more difficult as they are a very fast-moving target. With this expanded scope and recharacterization of home security, the definition of home security should read “protecting the physical and digital assets of your home”.

But this article isn’t about the digital home security. Instead, it is about security in the cloud and how we can draw upon the analogy of our home security to make a connection with security in the data center versus security in the cloud.

The traditional data center of the past and present is much like the home of yesteryears. The security focus has been on the perimeter. Why? Because all the servers, storage, applications have been carefully vetted and tested and stood up and there is a sense (sometimes misguided) that all of the threat vectors are on the outside and security the data center perimeter is necessary and sufficient to keep the miscreants at bay. And yes, this perimeter security has evolved from a stateless firewall to a stateful firewall to an application-centric firewall. You can throw in intrusion prevention systems, malware sandboxes and pretty soon your hands are full. Focused on the perimeter.

Now let’s fast forward to the cloud. If you have been steeped in data center technology, the tendency to treat the cloud as an extension of the data center – except it is running remotely – is very real. How would this manifest itself? You could create a virtualized software model of your firewall, intrusion prevention system and treat cloud security as virtual perimeter security.

Necessary but far from sufficient. How so?

Just like the digital home that we talked about earlier – connected toothbrush, mattress, coffee maker, refrigerator, TV etc. – the cloud offers a ton of native services. Virtualized, Container-based, Serverless, Storage buckets, Audit trails, AI models etc. And they are almost always accessible via API (application programming interfaces) to the outside world as that is how they can be availed. More powerfully, these services call on each other. For instance, a compute instance could be writing the data store using an admin credential that could be backing up using a backup admin credential to a remote location. As you have probably guessed, this model is so vastly different than the data center world, that the security paradigm needs to be reoriented as well. In a nutshell, security needs to encompass both perimeter security as well as API security.

But there is more to it. Unlike a traditional data center, where the pace of change of rolling out new capabilities was measured and deliberate, cloud feature and service evolution are rapid. These evolve at a dizzying pace with new features being rolled out every single day and by the same token features getting deprecated as well. And that requires the constant and continuous upkeep of security best practices just to maintain the same risk level. Sound like a lot. Yes, it is. And there are tools and services that can help with this. But this is one big stumbling block towards attaining and maintaining the targeted level of security in the cloud.

Mindset change. The unlearning and relearning. The human element. Ditto for your connected home security. Everything else is elementary as Sherlock Holmes would say.