At InfoSec World 2018, the vast majority of roundtable discussions were about people and process, with little mention of technology. My talk was about the impact of scale on security. There were several notable conclusions that can be drawn from the conversation. I was a guide or moderator, and the conversation went to places that were interesting, if unintended.

Two conclusions can be drawn:

  • Everyone has a different definition of scale, but many incorporated velocity, volume, quantity of devices, and ratio of work or time to results. Yet, only one definition included distance as a measure of scale.
  • The conversation brought many thoughts on process, people, and technology.

People, process, and technology make up many areas of IT security. The less manual the process, the better. At the same time, the better-trained our people are, the better they do with security. Discussion of the technology part was more about application of technology to meet specific goals. In essence, what are the results the business desires?
And that ends up being the crux of the matter: the business. As we scale up, we need to bring the business into the decision so that the risk is acceptable. Scale changes everything and may impose a greater risk depending on architecture, implementation, and mindset. The business needs to accept that risk before moving forward.
Another crux is to ensure the proper team is doing architecture, whether brownfield or greenfield. That team must include security and perhaps even legal from the very beginning. Security must be that trusted advisor, while legal must understand the current applicable laws for the jurisdictions involved: think GDPR.
With the proper team, architecture includes threat modeling and analysis, which will change as things scale up or even down. Scale changes the entire picture. More to the point, how you implement scale changes the entire scope of the business.
So, the primary considerations of scale are to have a good plan that covers threats, from threat modeling, to legal issues, to general technology issues. Know your control points regardless of where those points exist. Describe how to compensate for ones outside your control and, finally, develop an implementation that will provide the scale required.
Where you place security may change based on response-time requirements. It also may change based on where your systems reside. Further, placement may change with or due to the unacceptable risk involved.
How does scale impact your security? Is it a people, process, or technology issue?