March 28th, 2018
This document outlines core principles that I try to apply to my work, to guide me in the decision making processes I encounter on a daily basis. This list of principles is intentionally kept short and high-level: I do not wish to get lost in technical details nor distracted in philosophical discussions.
Despite (hopefully) being obvious, writing down these principles helps me stay on track, explain my general thinking to customers and partners across the organization, and function as a reminder of what's important when I get bogged down in technicalities.
My Paranoid Principles are:
Our prime objective is to protect the end users of our products. We are custodians of the data they entrust us with, and we have the responsibility to protect and defend the data, to act first and foremost in the interest of our users, in the public interest.
Trust is gained in drops and lost in buckets; we cannot be successful without the trust of our users.
As information security professionals, we frequently are aware of risks unknown or not obvious to others, know about threats to our users, the confidentiality of our users' data, or of actions taken that directly or indirectly are not in the (best) interest of our users. Our privileged position in the network and the company puts on us the responsibility of always and primarily acting in their defense and protection.
In the old world, it was turtles all the way down: a hard shell protecting squishy internals. Once you passed the perimeter, you were in: applications trusted you, you could freely move around the network, access services without authentication, and the like. This model is now being obsoleted by the concept of "Zero Trust" networks, a world where a given network position does not infer inherent trust upon you. Different people will interpret "Zero Trust" to mean different things, but in a nutshell:
In the design and implementation of all architectures, endpoints must assume that the network is compromised, while the network must assume that the endpoints are. (Experience has shown both to be the case.) This principle demands strong and mutual authentication of all components, fine-grained and automated access control with reliable authorization via e.g. RBAC, microsegmentation of the network, and protection (e.g. encryption) of all data in transit as well as at rest.
In order to facilitate collaboration across the company and to gain and maintain the trust of our users, colleagues, and partners, we must act in as transparent a fashion as possible. The zero-trust model requires us to assume that attackers are already able to e.g. access our internal documentation, so overly restrictive access controls more often hinder collaboration than meaningfully protect "sensitive" information. By operating in the open, with our decision making process and implementation details visible to others, we are consciously forcing ourselves to live up to our own standards. Sunlight is the best disinfectant.
We shall apply Kerckhoffs's principle not only to cryptographic algorithms, but also to our architecture documentation, operational runbooks, implementation notes, and threat assessments. Communication channels within the company and communications within the team shall not be closed or restricted unless absolutely necessary. Information sharing across the company is essential.
As we work to merge or design infrastructures, to develop new architectures, we shall always move forward, never back. This principle requires us to abandon the idea of the lowest common denominator and to require that any system or component not meeting our desired security standards be brought to meet them rather than to lower the standards. When comparing existing implementations, the stronger security mechanisms and protections win.
Likewise, we are required to continually re-evaluate our existing standards to ensure they are above and beyond the "industry best practices" all too often masquerading that lowest common denominator. At the same time, we cannot let perfect be the enemy of the good; incremental changes in the right direction must not be delayed merely because they do not solve all immediate problems 100%.
Our standards and expectations need to be raised regularly; the only way to make progress is to move forward. We must do better today than we did yesterday, and better tomorrow than we did today.
These are the paranoid principles I try to follow, I try my work to embody, which I try to promote. Of course there's more, and things aren't always black and white. But it helps to be able to go back and remind myself of what I said I would do. What are your paranoid principles?
March 28th, 2018