InfoSec World 2018: Scale-Up, Scale-Out Security

At InfoSec World 2018, March 19–21, I will be speaking on scale and security. I’ve talked about scale in the past, and about the different types available. Join me at my roundtable discussion at InfoSec World, “G4 Impact of Scale on Security: An Open Discussion.” Bring your questions and an open mind, and be ready to talk scale and security. Scale impacts everything, but how does it impact security? That is the main question to ask and discuss.

We know that scale has an impact. We know that at some scales, security changes drastically. We also know that the boundaries of security move with the increased scale related to velocity and volume. But it also changes with distance, as Tom Howarth pointed out previously. How does this actually impact the security posture of your organization? That is the crux. Scale means so many different things to so many different people that applying one set of rules tends to be more boggling than helpful.
I was at another conference where I was talking to a customer who stated their scale was massive, roughly a 100 million sessions with an acceptable latency of a second or more a day. However, I have been architecting and securing systems that have 44 billion queries a day with an acceptable latency that is sub-second. What I do for that would not necessarily be appropriate for the other. That is the main problem with scale. As you scale up, your options change. What seems like a wide-open area for security suddenly narrows. The focus of the business comes into play more and more.
This is also where latency comes into play. How does that change your security posture? Basically, what can you get done in the time allocated? If you have a lot of time, you can do much more. If you do not, you may have to split your traffic or approaches. You may need to place protective approaches inline and detective approaches out of band. Would that apply everywhere? It could, but is it necessary? Can the organization absorb the extra costs of doing so?
Brownfield vs. greenfield also comes into play, as does the architecture of the application, service, or system. Further, all of these are impacted by the needs of the business. You may have a more fundamental scale problem based on mindset. Is the mindset working for or against security at scale?
All these and more will be discussed at the roundtable. Any conclusions I will share; I am going to moderate the discussion to learn and share what I know with others. I am positive there are things I do not know. While I do research large-scale cloud forensics, forensics of security at scale seems daunting nevertheless. While we may not get into forensics at the roundtable discussion, it is always in the back of my mind.
I know scale has changed how I wish to do security. It has changed how I plan to deploy security and it also has changed my mindset about security. Even so, we still cannot forget what we have learned from the past and apply it to the future.
How do you do security at scale? What do you consider scale to be? How has security failed at scale? How has it succeeded? Inquiring minds wish to know!