Commandments For The Speed Of Security

Editor’s note: Steve Herrod is managing director at General Catalyst Partners and the former CTO and SVP of R&D of VMware. 

PF Chang’s. Domino’s. eBay. Home Depot. Neiman Marcus. Sony. That isn’t just a list of wildly successful companies, it’s also a list of hacked companies; companies whose security was profoundly, publicly compromised. And it’s just a very small sample of a much larger set.

The problem is not just that our industry’s approach to security is compromised but a fear that this seemingly exponential increase in security threats could lead to even worse security, especially when married to an equally urgent emphasis on speed and usability.

While “security” is the word on everyone’s lips and new and more demanding security measures are on everyone’s to-do list, not enough regard is given to what those measures will do to productivity and usability.

Employees in a company, especially engineers and techie types, will circumvent a new process or set of security tools if they find them too onerous. People will use their phones on 4G/LTE instead of going through a wireless access point, proxy or perimeter security device. Or they’ll buy Amazon AWS or SaaS services if their IT department takes too long or has too many hoops to jump through. Or they’ll use a personal Dropbox account if the company’s network shares are the only option.

Any of these sounding a little too familiar? How do we properly handle increased needs for security without forgetting the need for speed? This is the challenge ahead. It’s time to lay down some commandments before users start melting down their gold iPhones and making a golden calf. I’m going to keep it to four, because if I list more you’re going to get exasperated enough to start circumventing them…

Thou shalt not sully the end-user experience

Unfortunately, companies contribute to the agitation of their employees by constantly attempting to fine-tune their products. It’s akin to changing horses in midstream. To create a clear path to use, consider the following steps.

Agents and special apps don’t work. They are clunky and slow you down, leading people to remove or avoid them. They’re frequently buggy and can compromise usability. Don’t create a new set of apps they have to use.

And don’t compromise the web experience by creating blocked categories. Filing a trouble ticket to re-categorize a website is not user-friendly. Employees and users need to use the apps they want and visit the pages they need to do their jobs.

Thine is now a multi-device world

People have a computer at work and at home, a laptop, a tablet, and a phone or two. All too frequently these devices have separate protocols and expectations.

For example, I had to use a VPN at home, but not at work. My laptop required two-phase authentication, but my iPad did not. I could only use Mac Outlook at work, but I could use Apple Mail at home. All of these discordant protocols feel like roadblocks that need to be avoided. And I am not an outlier.

Moore’s Law may or may not endure over time, but the perception that faster is better and an emphasis on being first means that speed is not incidental. So, make things as similar as possible across user experiences or you stand a real chance of losing reliable security processes in favor of that even more powerful urge to get it done now.

Security that works can save your users’ lives and jobs, and security that fails can compromise their happiness and livelihood, as well as damage your company’s reputation, trust, and bottom line.

Thou shalt not delude thyself into thinking thine data centers are static

Agility is huge. Here’s a metric you should employ if you want to know whether a security improvement is going to work: Explicitly measure how much slower it is to provision a server with security than to run it without. If the resulting slowdown is over 10 percent, it’s not going to work.

People use private and public datacenters — implement security that is consistent across the multi-cloud deployments that virtually all mid-size and larger companies will employ in the next few years.

Things move! Today’s IT world has applications popping up and down frequently, and applications no longer stay on a single machine, making it hard to use the traditional machine- or location-centric approach to security. Your security must be just as speedy and move with them.

New containers cometh. Be ready.

We need security policies that work regardless of where an application is deployed. Back in the day, applications were always on bare metal. Now VMs dominate. Tomorrow it will include containers. Container computing, such as Docker and LXC, allows you to run a single application efficiently (not to mention quickly) in the cloud, without having to dedicate an entire OS. Container usage is growing quickly and is carrying more and more of the computing needs, allowing for greater flexibility. We must secure them.

And who knows what it will be after that. As with the multi-device and multi-cloud commandments, we need a security approach that treats these as consistently as possible.

Four commandments all focused on a consistent and user-friendly approach to security that supports the user experience and acknowledges the need for speed. There is some serious company building to do to follow these, and there’s a serious mindset change needed as well. Both will be hard.

Security that works can save your users’ lives and jobs, and security that fails can compromise their happiness and livelihood, as well as damage your company’s reputation, trust and bottom line.

This is a conversation we have to have and we have to make it ongoing. Your responsibility is not just exegetical. Let this be the start of our collective creation of a new scripture of security, one that allows for the real-life actions of living users, not just easy-to-codify prohibitions.

Just as faith without works is dead, so security without usability and speed has X’s for eyes.