John Von Neumann once made the following assertion: For small mechanisms, it’s easy to see how they work, but not what they do. In contrast, for large systems, it is easy to see what they do, but not how they work.
Based on nearly forty years in cyber security, I’ve come to view this as the central challenge in securing large-scale systems: We know what our systems are intended to do, but we don’t have a clue how they actually work.
Look at the picture above. The simple mechanism on the top left is a pump that drives the radiant heat in my home. One of these pumps recently broke and the repairman came and replaced it with a newer model (circled in the diagram on the right).
When asked how the pump works, the repairman described it perfectly and completely. A quick Google search offered a simple diagram (see picture in lower left above) that confirmed the explanation. The newly installed pump worked the same but had more umph.
When asked how the overall system worked, the repairman can explain the system from end-to-end in great detail. My wife (no technical or plumbing background) also has come to understand the system and often diagnoses issues perfectly and accurately.
If you do enterprise cyber security for a living, and you are wondering what the goal of our profession might be – I would offer the above plumbing use-case as exemplary. When we can point to a component and understand it completely, upgrade or replace it trivially, and then get back to other matters, we will know that our profession has arrived.
Now a test for you: If I asked you to show me how your IAM works in the context of your overall cyber security scheme, could you do it? Or how your cloud container security orchestration works? Could you do it? Do you have a detailed and accurate diagram?
If you are honest, then I suspect you will understand the task at hand – and will get to work at once with this: You must demand simple components, and you must fight the urge to accept additional complexity. If you cannot explain it and diagram it, then it’s too complex.
That is the secret to securing your infrastructure.