As security analogies go, one that I have heard often compares security to a piece of candy. The outside of the candy is hard and crunchy and the inside is soft and chewy. The idea here is the outer layer, the perimeter if you will, is hardened to protect us. This is the point we do most of our security “stuff” to keep the bad guys out. Of course once you get through the hardened layer of security the inside layers are much more gentle because we know you are supposed to be here so lets minimize any further disruption. Keeping this analogy in mind, I was battling the annual outbreak of thistle in my flower beds. This spring is especially bad because we did not get mulch last summer so there really is no layer to prevent this meddlesome weed from going full bore and consuming every inch they can.

For the sake of those who have never had to remove thistle, at first glance it looks a bit prickly but not overwhelmingly so. However, if you grab the weed without the benefit of gardening gloves you will quickly find the very sharp barbs digging into your skin. Even if you have gloves on, if they aren’t thick enough you will still feel the sting. Over the years I have found the best approach to removing these weeds is to actually expose the root, which has no prickles, and pull it from there. You may be thinking at this point why not chop it off and be done with it. Well if you do that the deep root of the thistle will just regenerate and you will be back to struggle with it another day. So getting down to the root and then pulling the whole thing out is the best approach I have found.

So we now arrive at my new analogy, in that security is like a thistle. On the surface where every can see, it is sharp and unforgiving, but below the surface it is soft and vulnerable. Since the systems we are trying to secure are meant to be accessed by someone there has to be a point of entry. The candy with the hard crunchy shell presumably has to have that shell broken in order to get to the inside. But allowing entry into our systems doesn’t necessarily break the security. This is why I think our security models lend themselves more to the likeness of the thistle. We try and bury our roots and place our security on the visible parts of our systems. However, given the proper amount of time and motivation someone can find a way to get at our soft roots. Either by circumventing the controls through means of a vulnerability in another part of our system, or through gaining user credentials in an unauthorized manner.

Another observation I made about the thistle, which ultimately led me to realize going at the roots was the best approach, is what happens when thistle grows in another plant. When pulling thistle out of some evergreen bushes I noticed the prickles did not start until after the plant exited from the cover of the bush. Sure there can be some pain by reaching into the bush itself to get at the exposed part of the thistle, but you can also move parts of the bush out of the way. This made me think about how organizations treat connections to third parties. Does your organization maintain the same level security when making these connections as other outside parties, or is a reliance put on controls at the third party to reduce your organizations security measures? If you are relying on the third party controls, how do you gain assurance they can not be easily thwarted in order to access your systems?

At the end of a day pulling thistle I don’t come away completely unscathed. My hands usually burn with some pain after grabbing the wrong part of the plant or working around the other protective bushes. That said, I will endure the pain to remove the overbearing weed just like a determined attacker will endure discomfort to gain access to a valuable asset. This means we need to evaluate all our entry points and make sure we put up the proper security measures so they can’t get to our roots. We can’t just rely on surface security, we need to get below the surface and make sure the pain continues before our roots are finally exposed.

Thoughts of a mad man or an interesting approach, you decide and let me know.