The traditional confidentiality, integrity and availability, or CIA, security triad may be losing value as security benefits from the distributed, immutable and ephemeral, or DIE, model, according to two security experts.
As enterprises faced modern cybersecurity issues — including networks that were increasingly cloud-native, with no perimeter and generating huge amounts of data — experts realized the security products designed to handle these issues had common design principles that evolved beyond the CIA security triad. These new security products aiming to make enterprises more resilient all built security through being distributed and making data either impossible to change (immutable) or have a short and defined lifespan (ephemeral).
“The CIA triad emphasizes abstract security goals, whereas the DIE triad emphasizes system characteristics that foster security,” Kelly Shortridge, vice president of product strategy at Capsule8, an enterprise Linux security company based in New York City, told SearchSecurity. “The DIE triad can be valuable in reducing complexity by building in security by design rather than relying on a bunch of bolt-on security solutions.”
Security expert Sounil Yu, visiting fellow at the National Security Institute and instructor at the SANS Institute, said recently at the 2020 RSA Conference that each attribute of the DIE triad has a security benefit that negates the need for the traditional CIA security triad. Yu argued, if data is highly ephemeral, there is less need to worry about it being confidential because its lifecycle will end when it is no longer useful. Similarly, the integrity of data shouldn’t matter if it cannot be changed (immutable), and highly distributed systems and data should always be available.
Discovering the DIE triad
Yu added that the DIE triad could complement the CIA security triad by forcing enterprises to minimize nonessential systems and data to help mitigate attacks that cause irreversible harm.
Yu said his discovery of the DIE triad began with learning about the Cyber Defense Matrix, which is designed to layout the operational functions of the NIST Cybersecurity Framework, the data classes an organization needs to secure and how each section relies on technology, process or people.
He noticed products for the section of the matrix focused on identify, protect and detect, but there were gaps in the respond and recover areas. In trying to determine why the gaps existed, he realized the matrix also mapped the evolution of cybersecurity throughout the decades.
The 1980s were all about enterprises just identifying what computers were, how they worked and what they could be used for, Yu said, and computer security wasn’t even an issue yet. In the 1990s, the need to protect computers and networks became clear, leading to security measures, including antivirus, firewalls, vulnerability management and patching.
Kelly ShortridgeVice president of product strategy, Capsule8
In the 2000s, Yu said those protection systems were detecting more breaches and generating alerts. And, in the 2010s, security teams began to assume breach first and realized there was a need to respond. So, they created “firefighters and firefighting tools” to catch breaches early and respond quickly when they occurred.
In the 2020s, the security industry should expect a set of problems that is recover-oriented, Yu said. Specifically, he worries about wiper attacks or others that cause irreversible harm. Yu said he realized some solutions, like content delivery networks, copy on write, Docker containers, serverless architectures and serverless functions, and blockchain “fit into this model of things that help us recover and be resilient” when bad actors tap into security vulnerabilities.
Within these new products, Yu saw three core design principles connecting all of them: “They are distributed, immutable and ephemeral.”
In addition to furthering data recovery and resiliency that are essential to modern cybersecurity, Shortridge said the DIE triad encourages security by design.
“Each of the characteristics in DIE are generally understood by developers and ops engineers — but they often don’t realize these characteristics offer security benefits,” Shortridge wrote in an email. “The DIE model, therefore, makes security considerations more accessible to developers, which makes it easier for them to think about security from the beginning of designing and operating systems.”
Implementing the DIE triad
The best way to implement the DIE triad is to categorize systems and data into two buckets, which Yu called “pets” and “cattle.” The pets are items that are highly valuable and must be ensured to continue in good health. Those should be dealt with using the traditional CIA security triad. Cattle, however, should be dealt with via the DIE triad in order to ensure they aren’t kept around too long and unintentionally become a pet.
This exercise leads to the difficult process of deciding which systems and data should be considered pets that need to be kept and which should be decommissioned, Yu said. The process of moving away from fragile systems using the CIA security triad to resilient systems using DIE was a first step. He admitted there is no way to directly test for resiliency, but he believes resilient systems should have a set timeline where pets become cattle.
As an organization harbors more cattle rather than pets, it will move beyond resilience and build a network that is “antifragile,” Yu said. He argued that, if harm comes to a fragile network, it will break. If a network is resilient, harm will cause no significant change — a better outcome, but not the best option, according to Yu. The best option is for a network or system to be antifragile, which means it becomes stronger after being harmed. This includes changing security protocols and decommissioning cattle systems in order to improve the overall security of the enterprise.
Shortridge noted that enforcing immutability restrictions for on-premises containers would “offer both performance and security benefits” by preventing unauthorized access or changes to production environments. Additionally, if on-premises services are ephemeral, that limits the amount of time an attacker would have to steal data in the event of a breach.
“It can lead to a dangerously false sense of security to assume that on-prem systems don’t require the same security considerations as cloud-based systems,” Shortridge said, “because then the attacker just needs local access on your internal networks before attacking a squishy target.”