The M&M Security Model is Dead

By Andrew Gemmell, Head of Cybersecurity, Servian

April 6th, 2020

The approach to Information Security, and organisational security, hasn’t changed much in the past 15 years. The standard security model is to build a strong, hard, impenetrable shell to the organisation, with a mentality of “Nothing gets in unless we let it”. 

Taking the model to the extreme, once you’re in, you’re in and you generally have free reign across the organisation’s infrastructure. Sometimes referred to as M&M security, this hard shell, but soft centre doesn’t align to the modern world or modern, complex, threats.

This problem isn’t new. Large organisations can tell the horror stories from the early 2000s, when the Code Red worm infiltrated organisations and networks around the world. In the 2020’s, ransomware is a new actor that utilises the same vulnerabilities in the approach and thinking.

Security model like Kings Landing

This hard shell, or castle wall, approach has existed since, well, castles. Build it big enough, strong enough and with minimal points to transition across and you have a secure environment. There have always been problems with this approach. What happens when something does get inside the wall? Where is the protection then?

As the information age continues, the complexity of the environments we operate in grows. This complexity has become the problem. The complexity of solutions has grown massively, yet the security approach hasn’t kept up. From poor configuration through software and hardware vulnerabilities, the opportunities for starting behind the wall are greater than ever. If you can start inside the shell, you can attack from the inside out. 

All is not lost, but we need to change the approach. No longer can we assume that we have a gated community and everyone behind the gate is reliable and safe.  We need to assume the opposite. We need to only trust those that we can prove are trust-worthy. This needs to be done without exception, as security is only as strong as the weakest link.

The revolution

Google has started the revolution with Beyond Corp, their model for operating at scale in the cloud securely. This model works for Google and can work for any cloud only organisation.  For traditional organisations, there’s an interstitial stage; one that applies the principles of Least Privilege and Zero Trust across the entire organisation, whilst also implementing the controls to ensure the security posture is maintained during the transition to a cloud first posture. Least Privilege and Zero Trust are, at the most basic level, exactly what they claim to be. Through not trusting your neighbours initially, you’re protecting yourself.  From granting Least Privilege, you’re also limiting the interactions that you do trust.

Starting with Google’s Cloud Security Posture Review toolset and approach, we are able to provide a clear assessment of the adoption of cloud best practice methodologies and help maintain the adoption of Least Privilege and Zero Trust approaches. 

Adopting this model requires more than a simple change in technology. It needs a business uplift and culture adoption that security is no longer purely a technology issue.  Adopting a “Secure by Design” mindset and approach, along with the support approaches, such as compliance-as-code, significant improvements can be made that will enable innovation and speed up overall delivery.

Servian has been working closely with Google in the development and field testing of the CSPR toolset and approach, with successful assessments at a number of clients.  This toolset, along with our industry knowledge and experience has enabled clients to understand and improve their security posture. 

Contact us if you would like to discuss how we can improve your security visibility.

Learn how to layer in security to your cloud approach

Our whitepaper guides you on how to provide a safe and secure heterogeneous cloud operating model whilst remaining cost-effective and agile.