An icon for a calendar

Published February 3, 2021

How will risk and security change in the shadow of the recent SolarWinds exposure?

How will risk and security change in the shadow of the Cloudflare exposure?

What SolarWinds taught us all, is that trust is both a key component of the cloud, and also an incredible risk, that must be managed.

What happened at SolarWinds is almost an evolutionary theory level event. Evolution has taught as that variation is a key component of success in keeping a species alive. Without variation a disease can wipe out a whole species, it’s happened, and we have the evidence in plant and animal fossils for example. Well in technical terms, we are now all using the same hardware, the same operating systems, the same tool kits and languages, and this creates a very rich target for those with nefarious intent.

We know that viruses impacted windows to a much greater extent that Unix/Linux and iOS. This wasn’t inherently due to windows being an easier technical target (which some might debate it was/is), but a function of the sheer volume of windows machines, Microsoft Windows dominates the desktop market to such an extent, that anyone looking to target users couldn’t ignore.

If every single server in the cloud is using a similar set of infrastructure components, it’s the richest target you could ever imagine. Today’s open-sourced code bases provide an incredible opportunity for anyone with enough time, money and desire to infiltrate. While today we are seeing hacking techniques used to break into environments, what is to stop a government agency spending decades to build wholly legitimate technology with the long-term intent to be part of everyone’s systems, and then to use this engagement at some future point to disrupt?

The concept of sleeper agents is not new, it’s not even a cold war idea, but one that has been fostered for all of human history. Today it is worth governments investing literally trillions in technology for the opportunity that such an investment could offer in years to come.

The obvious question is what can be done to protect from such long term planned threats. The answer is both simple and painful. We have to expect everyone to be compromised, and continually evaluate everything. This is possibly the costliest part of information technology, and while there are some methods that can be employed to reduce the cost, it will never be less than the hardest problem to solve.

The lesson from evolution is to never rely on a single way of doing anything. And in many ways this idea is captured in the concept of blockchain. Blockchain is based on having many copies of the same data structure stored in a complex form, in multiple locations, such that if anyone is compromised the change is instantly noticeable. But it is not a perfect solution in itself, but one of the technical ideas that traps certain kinds of attack.

Another key technique is to look for unexpected activity or activities that were not initiated in expected ways. And there is no getting away from the brute force security concepts of honey traps, sandboxes and penetration testing.  When you pull together all these ideas, with a healthy dose of focused paranoia you have the beginnings of a plan. A healthy mix of innovation (and not always being like everyone else) helps as well.

These are some of the lessons we learned in 2020 and will continue to evolve into 2021.