I wanted to take some time to talk to you about the metaphors we use and how they distort the picture we make in our heads of all kinds of things like file storage and access points. So, let’s start with an easy one: your computer’s network.
Now you know what that looks like right? Of course, you do. We’ve got all kinds of metaphors to help you paint a picture in your mind.
The metaphor we usually use in security is that your network should be a fortress. It’s a useful image when we’re talking about entry points and hardening, but it also runs the risk of getting us into trouble.
When we picture network defense as a castle, we’re really thinking about an antiquated view of how threats get in. One way in, one way out.
Just like the invention of more powerful siege weapons made the real castle obsolete, changes in technology (not the least of which is the cloud) make that fortress metaphor somewhat counter-productive in some important ways.
How so?
Okay, let’s talk about the kinds of things that we find. You know the parts of the system that you use in the day-to-day operations of your business, but can you keep track of where all your information really is? Of course not.
The interface of a monitor and keyboard gives you the illusion that everything is in one place, but really, you’ve got data on the cloud, spread across multiple servers.
You have password managers operating the locks on your vaults, third-party applications storing private information in the form of documents.
It's comforting to imagine a single gate watched over by a battalion of soldiers, but when we analyze networks, the thing we find time and again is a side door that isn’t being watched at all.
The point is, it isn’t one thing. The “side door” could be a port with the wrong configuration, a browser that’s storing a treasure trove of passwords.
Okay, if those metaphors can get us into this much trouble, why use them at all? Simple, we need them.
We use a shorthand to talk about these things because it gets us in the neighborhood, and that’s fine…as long as you remember that when you need to get more specific, it’s best to do so without leaning on a “pretty close” image.
