Dept. of Know Live: Sounil Yu on DIE security model | Fastly
It’s no secret that security is often thought of as a barrier to business innovation. The security team gets their hands on a project, identifies potential security risks, and the project dies on the vine — at least that’s the box far too many people still put security in.
But like former Twitter CISO Rinki Sethi mentioned in the first installment of The Dept. of Know Live!, security should really be seen as a partner for the business. Last week, I joined the series to chat with Kelly Shortridge and Bea Hughes about the DIE model, and how this security framework enables businesses to take risks and drive faster innovation.
Watch the discussion here, and read up on a few of my favorite takeaways below.
1. Evolve from risk reduction to impact reduction
Traditionally, we have viewed security as a risk reduction function, with the security team focusing on monitoring risk and mitigating threats. Security teams perform threat models, consider what might disrupt the business, and evaluate alternative scenarios, enabling innovation in a sense by forcing business partners to think differently about the business initiatives they’re jumping into. This way of looking at security can be characterized through the well-known CIA triad, an infosec model designed to guide an organization’s security policies based on three core components: confidentiality (keeping data private), integrity (ensuring that data is accurate and reliable), and availability (making data available to users whenever it’s needed).
Another way to look at security is as an impact reduction function. To some extent, focusing on reducing vulnerabilities and threats is futile; you can patch every vulnerability out there, but tomorrow there will be a new batch — and there will always be attackers seeking to do harm. What is in our span of control, however, is reducing the impact of those threats. Then, we can take more business risks without worrying that we haven’t secured ourselves against every threat that exists.
This model for security can be embodied through the DIE triad, an alternative to the CIA triad that emphasizes designing systems to be:
Distributed: preventing dependence on a single system
Immutable: making assets impossible to change
Ephemeral: designing assets to have a short and defined lifespan
Ultimately, building toward the DIE model aligns more naturally with business interests and allows us to innovate faster by reducing the need to ensure the confidentiality, integrity, and availability of systems.
2. Embracing the DIE model may require moving past discomfort
Every organization will have assets that are managed through the CIA triad and assets that are managed through the DIE triad. This is where the analogy of “pets” and “cattle” comes in. Pets are those irreplaceable assets that must be secured, monitored, and carefully repaired if they’re damaged — those you build to be aligned with the CIA triad. Cattle, on the other hand, are expendable assets that can be disposed of when there is damage. For these assets, it should be a question of how you can make them as low in value as possible through designing them to be DIE so that even if they are vulnerable, the impact is not worth the effort it takes to fully secure them. That shift in attitude is going to be immensely uncomfortable for many security practitioners, but pays off by making your systems more resilient and quick to recover.
3. The tendency to add security bolt-ons hinders innovation
In security, we’re often burdened by the thinking that we have to constantly add new bolt-ons to security tooling, which can hinder innovation. The DIE model is a framework that allows us to move away from the inclination to add, and focus instead on how we can enable innovation through the processes of subtracting, dividing, and multiplying.
For example, serverless computing is an example of ephemeral infrastructure that is ultimately about subtracting the need to maintain a server, then multiplying computing nodes so you can build innovative applications. Security leaders should really embrace and support this way of thinking because it reduces our burden of securing more and more “pets.”
To sum it up
Truly making security an enabler of innovation requires reconsidering how we’ve typically thought about security. By embracing the DIE model and looking at security as an impact reduction function, we can take more risks, align security with the drivers of business, and enable faster innovation.
Watch our full conversation on demand, and tune in later this week on March 17 at noon PDT when Omar, Staff Security Engineer at Betterment, joins The Dept. of Know Live! to discuss how building more modern applications means building secure ones.