Security Principles Stand the Test of Time
My early system administration days were spent installing single purpose machines on dedicated hardware. Then I watched the world move to virtualization and I built a company's entire server farm on a cluster of machines connected to an iSCSI SAN. I then watched as we moved our virtual machines to "the cloud" and eventually leaned even further into virtualization with Docker and Kubernetes. Side note, if you don't know why it's called "the cloud", find some old Vizio network diagrams.
With each new technology new security concerns arose and I had to quickly wrap my head around those concerns. Thankfully, during my on-premise work I learned a lot about network segmentation, workload separation, user management, and access control. Those core principles are what allowed me to secure each new infrastructure paradigm, even if I didn't fully understand it yet.
Today, if I had to secure some new infrastructure paradigm I've never worked with, I would approach it by asking a series of questions based on those core security principles and suggest changes based on the answers. I can ask the same set of questions no matter what infrastructure paradigm is used because they are so foundational to securing any infrastructure. My starting questions are:
- Where does the infrastructure live?
- Who has access to the infrastructure and at what level?
- Is the infrastructure managed, by who, and at what cadence?
- What workloads are running on the infrastructure?
- Do you have sensitive workloads running on the same infrastructure as non-sensitive workloads?
- At what permission level do the workloads run?
- What can the workloads access within and outside the infrastructure?
- What users can access the workloads?
- What level of access do they have to the workloads?
- How do we ensure availability of the infrastructure?
You may wonder how I would answer these questions if I don't yet fully understand the system I'm trying to secure. Well, I wouldn't answer the questions, I would expect the system owner to answer these questions for me. If I can't get help from the system owner, then there is a different set of problems that need to be addressed first.
As a hiring manager, make sure you are looking for team members who have a strong understanding of security principles, and as a security practitioner, make sure you are helping system owners learn core security principles. Tech stacks change too quickly to expect anyone to keep up with all of the security concerns, but good security principles stand the test of time and all we have to do is apply them.