It’s an established problem that many organisations have too many security tools deployed. Each one requires expertise, integration points, patches and in the case of many, they can even extend your attach surface. I recently read this article by Rick Howard from Paloalto Networks* and it calls attention to the fact that platforms which don’t integrate [easiliy] are likely to fail the test of enterprise deployments and will not be extensible in the long term, minimising the value they bring to the business.
[…] most network defenders. For their entire careers, they have been trained that vendor-in-depth and best-in-breed are golden principles in cybersecurity. When all else fails, follow the golden principles. […]
Ironically, these same network defenders have missed the point advocated by Geer’s monopoly paper. In it, the authors advocate several actions designed to limit the attack surface of the Microsoft operating system platform:
- Publish interface specifications to major functional components of its code, both Windows and Office.
- Foster development of alternative sources of functionality through an approach comparable to the highly successful “plug and play” technology for hardware components.
- Work with consortia of hardware and software vendors to define specifications and interfaces for future developments in a way similar to the Internet Society’s RFC process to define new protocols for the internet.
[…] you will find that adopting a security platform that integrates with other vendors is exactly the same solution.
Rick’s conclusion is valuable and in my experience, a path only some vendors are taking this space.
Publishing open APIs and carefully documenting how to extend and integrate the software with other vendors should be the baseline and not a ‘gold standard’.
*Note that I don’t endorse Paloalto Networks, I just found this article informative and inline with my own beliefs.
I was first told about the emerging ‘Solid‘ project by a colleague at work.
From the internets creator, Prof. Tim Berners-Lee as the co-lead of the Decentralized Information Group at MIT’s Laboratory for Computer Science and Artificial Intelligence (CSAIL) comes a solution to what many see as a growing corruption and future destruction of the World Wide Web in its current form. Net Neutrality, constant attack from IoT/Zombies and even more troubling the perpetual collection, storage and sale of our personal data via data brokers, social media providers and marketing networks.
This emerging project seeks to give control of the underlying data back to its original owners, you.
On the better web Berners-Lee envisions, users control where their data is stored and how it’s accessed. For example, social networks would still run in the cloud. But you could store your data locally. Alternately, you could choose a different cloud server run by a company or community you trust. You might have different servers for different types of information—for health and fitness data, say—that is completely separate from the one you use for financial records. Wired
The project’s website outlines the primary offering:
- True Data Ownership: Users should have the freedom to choose where their data resides and who is allowed to access it by decoupling content from the application itself.
- Modular Design: Because applications are decoupled from the data they produce, users will be able to avoid vendor lock-in by seamlessly switching the apps and personal data storage servers, without losing any data or social connections.
- Reusing Existing Data: Developers will be able to easily innovate by creating new apps or improving current apps, all while reusing existing data that was created by other apps.
I look forward to following the evolution of this project and hope it’s successful in it aims. Recommend checking out their Twitter and also the Solid Github project.