Words sprinkled into IT presentations and marketing to give a sense of warmth and safety.
I hadn't thought much about it until Dave Snowden posed the question:
What's the difference between a sea wall and a salt marsh? Both stop coastal flooding...
Paraphrasing his idea:
A sea wall is robust. It works well until it fails - and then it becomes more of a hindrance than a benefit.
In contrast, a salt marsh is resilient. It maintains its identity over time. Whether the marsh is flooded or dry - it's still a salt marsh.
This distinction made me pause and consider different cybersecurity tools and techniques.
Which are robust - but lose their effectiveness when breached?
And which maintain their effectiveness and even adapt when parts of the system are compromised?
For years, we have known firewalls can be easily bypassed. A click on a phishing link bypasses all firewall protections - because the request came from inside the business.
Similarly - last week, I read about the trouble Baracuda email security gateways have preventing internal name spoofing and CEO fraud. As the email security gateway is placed on the network's edge, they don't inspect emails sent within a business - creating a security loophole.
These are robust approaches to security.
Great until they don't work.
But are there resilient approaches?
Backups immediately came to mind. If restoring from one backup fails - use the next one...
In the event of a failure, the data may not be as current - but at least we aren't starting from nothing.
Similarly, separate guest, staff, and device management into different network segments - in the event of a failure in one segment, the other networks are not automatically compromised.
As I thought more, a trend appeared. Over the last decade, we started moving from robust to resilient security.
The firewalls of old are being replaced with zero-trust architectures - where no devices are trusted, and access rights are continually verified.
That is not to say that robust defences have no merit.
Robust defences are the foundation of a secure infrastructure.
But they should not be the focus of attention.
Robust vs. Resilient Technologies
As I started listing robust vs. resilient technologies, some counterintuitive highlights emerged in each list.
- Multi-factor authentication (MFA)
- Physical security controls
- Antivirus and anti-malware
- VPNs and secure Wifi
- Network segmentation
- Zero-trust architecture
- Security awareness training
- Mobile Device Management (MDM)
- Continuous monitoring and auditing
Thinking about robust and resilient technologies provides a new lens through which to view IT and cybersecurity spending.
There isn't always space for a resilient salt marsh, so a mix of approaches is needed.