Brian Kelly, Chief Security Officer at Rackspace retired from the military in 1995, after 21 years of service. This was around the time that Kevin Mitnick was making waves in the world of cybersecurity.
However, serendipitously, before he left, he spent some time in Washington, on a fellowship. “Fellows are like unpaid labour in Washington, frequently asked to conduct research and write speeches. So I was tapped to look into something early stage,” Kelly explains over tub thumping music at the Hilton Paddington bar. “I helped establish the cryptology service centre with over 1000 staff who were very technical. We are talking people with Masters and PhDs as well as engineers and researchers. Today it goes by the name of Air Force Information Warfare Center or 688th Cybersecurity Wing.”
Information warfare in the early-90s was still an experimental subject. We were still talking about what it was and how it could change military doctrine. In that climate, the Air Force was out front building the tech infrastructure that would be of critical help even today.
When asked if it was a startup-like environment at the outset, Kelly agreed. “The US government played the role of an incubator, they put together the resources we would need and then got out of the way for it to develop.”
Obviously, the world has moved on since then.
Fast forwarding to the present. I then ask him about multi-cloud as well as cloud adoption. Does the cloud make the work of an information security professional difficult?
Software defined network
Kelly disagrees wholeheartedly. “The strength that cloud provides is to be able to integrate security. We realised that there is no such thing as single cloud a few years back. We also realised that a [security] company needed to be able to not just talk across several clouds but also provide solutions across them equally. In fact, we analysed some companies that are in as many as six clouds.
“Cloud is the catalyst we have been looking for, to change the old security architecture. Traditionally, security has been very compliance-heavy. The opportunity we now have because of cloud computing can be used to take control away from networks and put control in the application and user layers to create environments called zero-trust layers.”
“Something interesting that’s come about because of cloud is the ability to create new security infrastructure using the pieces we already have in place. Early stage companies are cropping up that help create the technology for software-defined networks (SDNs). So for example, [you can get] things like one-time authorisation on systems to authenticate you, smart systems that also check where you are, what time of the day it is, [systems that] make sure data follows a pattern. It will negate the need for passwords.
“The beauty of such a system is that you can see and access what you need but [the system] is dark for everything else. So the system is more secure: hackers cannot hack what they cannot see. The trick is in making the network dark for everyone. That’s fundamentally what the SDN is going to give us.
“Verizon has already announced software-defined-networks-as-a-service. And Google’s architecture is already there. So some of these companies are moving aggressively. It’s the most interesting time in a long time. We are are still prototyping, [we are at an] early stage but we have been looking at this for a long time. SDN as a service is the answer right now.”
Kelly, then goes on to detail how the cyber security industry is currently almost not fit for purpose.
“For the past few years we have seen a “tools mentality” to cyber security, be it antivirus or intrusion detection. The approach is flawed. We have arrived at a point where [the technology] is so complex that it is now the biggest deterrent to sound cyber security.
Complexity is the enemy of security
“It has gotten so appliance-driven that organisations cannot grasp what has to be done. An inventory from the people, process, technology viewpoint should help sort with the tools health check. You will be surprised to see that at least one in three [tools] would be excess to your needs. At least 80% of companies have that problem today.
“Staff should be thinking of ways of enabling the security rather than spending all their time managing tools. If we think about what security has actually worked in the past 2 decades, we will see very little has actually worked.”
And when pressed on what he thinks are the biggest contributions to cyber security architecture in the past decade, Kelly doesn’t lose time before pointing towards encryption and crypto-currencies.
“Crypto-currencies will change the world. It is only encryption that has worked for us in the long term. Crypto-currencies and blockchain came into being because of encryption!”
But what of the stories that we read every day about IoT breaches and encryption failing? He has an answer for that too.
“Encryption by itself is great. The problem is the key. If hackers get the key, you cannot do much about it!”
It is key management that is ‘key’!