The MIT Technology Review recently reported that researchers at the University of Washington had embedded malware in a strand of DNA and used the infected DNA to hack into a computer.
When I read this report, I finally accepted the following: We took over from the Neanderthals and created and pushed the advancements that have allowed us to, pretty soon, turn things over to the machines. As a civilization, we had a good run, but it might be time for us to ride off into the evolutionary sunset.
Naturally, I am not being too serious about our impending doom, but the story on biological malware does remind me of two important developments. First, the pace of technology-driven change is accelerating. Second, the information and data security landscape changes all the time.
What are the practical implications of these two important developments? We should be reviewing, analyzing and, possibly, implementing new technologies. But, as we do that, we should have processes and guidelines in place that help us identify and, as much as possible, minimize security risks that come with new technologies.
Does this put us into some type of Catch-22? Yes. The new technologies could be changing rapidly enough that we cannot anticipate the associated security risks. In many cases, we will find the risks only after we have implemented the technology. We are then scrambling to plug the holes and hoping to get things done before the technology and the threat evolve. What are we to do?
It seems to me that there two things we can do outside of the technologies and threats that can help us maintain a good security posture and minimize security risks.
Tightly define data access
Some of us old-timers recall the days of data dictionaries. Back when it was expensive to store data, we were pretty careful about our data structures. We took our time to define data dictionaries to make sure that data existed in as few places as possible but was made available to the correct consumers of that data.
There is now less pressure to standardize data across use cases, but there might be one aspect of data definition that remains critical: Who or what needs access to that data? And, starting with an assumption that no one and nothing should have access to the data, we back up until only those who really need access have only the access they need.
This thinking extends beyond humans and into services. In today's system architectures, it is often other systems that are accessing data. So, we need to extend our definition of data consumers and their access rights to include other applications and services and then build permission rules to eliminate unwarranted data access.
Abstract security from the technology
With so many changes in technologies and threats, is it even possible for the various technologies to keep up with security demands? Or do we need to separate security from functionality? Should we look for security tools (permissions, analytics, rules and so on) that exist outside of, or at least complement, the internet of things (IoT), blockchain, cognitive systems and other advanced technologies?
Taking this approach, we can manage security on a separate innovation track from the specific technologies and, perhaps, deal with evolving threats without having to upgrade the specific technologies. Admittedly, this adds complexity, but a loose coupling of technology and security might actually simplify how we deal with the future of both the technologies and the threats.
For example, some of us struggle with minimizing security risks around IoT. Perhaps we trust the IoT providers to provide some level of security in their products, but do not stop there. We then overlay additional security-centric technologies on top of whatever the IoT providers include; this could be software that observes and flags behaviors across all device types, including IoT. The traditional security provider might deploy patches and respond to threats on a faster cycle than the IoT provider, in addition to covering a broader range of threats.
We live in a world of ambiguity, uncertainty and speed. In such a world, we have to assume that what we do tomorrow to minimize security risks will be different from what we do today. How do we prepare for a rapidly approaching unknown? My answer seems to always come back to two things: tightly defining some core rules (like data access) and loose coupling (so we can replace only what we need to replace and not everything that is connected with what we are replacing.)
Machine learning will help, but not eliminate, cyberthreats
Threat hunter: A new information security role comes to the fore
I am human; therefore, IT security doesn't come naturally