The latest compromise via the SolarWinds hack bubbles up an issue I just can’t resist commenting on.
When the internet began to emerge into public conscious thirty years ago, we were all fans of integration to produce functionality. Connect everything. Integrate everything. Centralize everything. I confess I was on that train too. The downside of these directions was not obvious. It was not even visible to anyone but the paranoid fringe. Note: I take exception to those who include me here.
Until the ’90s, important things were physically locked up behind walls and doors guarded by locks and, when really important, by humans. To access this “stuff” you needed to be screened, permissioned, even frisked to be allowed access – in person. Computers allowed us to store a lot of this stuff but, prior to the internet, that computer and the devices that accessed it were also behind those walls and guarded doors so the fact it was stored electronically didn’t change the controls to access it. Don’t get me wrong, this system wasn’t perfect. People did break into places to steal stuff, but it was not easy and pretty risky. It was also pretty much impossible to break into a place and get stuff from over 400 of the Fortune 500 companies.
Then we started networking everything. That included those computers that stored the important stuff. The walls were replaced by firewalls and the locks replaced by passwords. In-person was replaced by a virtual presence via a computer account. interconnecting everything allowed access from anywhere — a convenience.
Next, we started consolidating and centralizing those account/password access controls. PAM modules integrated directories. Again a convenience. Why maintain 10 directories when you can have one? Why make people remember 10 passwords when they can have just one? Sounds obvious and as I said, I was onboard with all this — for about twenty years.
Over time, the evil forces of the world began to attack these electronic barriers. It didn’t just suddenly happen, it evolved slowly but persistently, getting a little worse each month — each year. Heck, I remember putting mail servers on the internet in 1990. No real firewall; just a port filter – why would you need more? No relay blocks because the capability to block a relay didn’t exist yet and why would anyone do that anyway? I guess we know the answer to that now.
The evolution continued to where, at some point in the past, it became obvious that anything connected to the internet could be accessed — Period. I am not sure exactly when that became obvious, but what is clear now is that, although obvious, it is not being acknowledged with behavior. That behavior is simple, if it’s really really important, a companies trade secrets, our military secrets, whatever, DISCONNECT IT!
Now I hear “it’s in the cloud now, the cloud is safe”. Nonsense. Bigger environments use more resources to protect themselves but they are also bigger targets. If the SolarWinds incident has told us anything it is that size is not a barrier in and of itself and even if you are not directly hacked, if a trusted partner is compromised, you may be compromised too.
We should just assume that anything connected to the internet can and will be accessed by someone that should not have access at some point. If it is too important to have that happen, unplug it. The best firewall is a real wall (aka wall-gap network). It can still be on a network but isolated and controlled by it’s own unique access controls — both physical and electronic. Convenience is not a reason to compromise security.
This is obvious to me and has been for a while. When will it become obvious to everyone else?