IT Security Secret Weapon: Physical Control

Strong IT security is a losing proposition.   If you want to develop a system that’s connected to the internet that is unhackable, you’ve lost the game already.   There is no such thing.  If someone wants to hack you they will succeed.   The only thing you can do is inch your way up the ladder and eliminate the lowest hanging fruit.   The strategy becomes being faster than your friend rather than trying to outrun the bear.   Other than that get ready to be hacked.   Your goal should be to get hacked less frequently than your competitors, and when you’re hacked you want to be sure it’s an inconvenience rather than a business ending catastrophy.

Preventing the severity of the attack is where the tables turn.   You as an owner of your data, have an upper hand in restoring control. Just as you had no foolproof protection against getting hacked, your adversary faces the same problem if their goal is to wipe  your data or your business operation off the face of the earth.   They will not succeed if you don’t want them to.  Your secret weapon is physical control.  As long are you retain physical control over your data, you may lose many battles, but you will ultimately win the war.

When hackers penetrate a single system, they call that “owning the system”.   However, that is overstating their accomplishment a bit.   They should really claim that they “temporary control” the system.   Of course, that doesn’t have the same ring to it.   They don’t “own” anything if they can be locked out by you the owner.    Yes, they can do all kinds of damage while on the system.   Yes, they can cause down time.   Yes, it can be a huge disaster.   Yes, it sucks to be hacked.  But as long as you retain physical control over your system you’ll always have the upper hand in the long run.

Why physical control?   What makes physical control so special?  It’s because no matter what kind of games and silly wars happen at the OS or application level, you have a secret secret weapon that hackers don’t.   It’s a weapon that’s unstoppable.   It’s a weapon that makes all the games stop.   You have physical control.   Only you can unplug a network cable – they can never plug it back in.   Only you can shutdown a machine – they can never start it.  Only you can do a offline bare-metal restore and they can’t do a thing about it.   Only you can put your your offsite backups in your briefcase, they can hack all night and they are not going to touch those.

This is why public cloud computing is problematic.   Public cloud takes away the only truly effective weapon you had.   You have 0 physical control in public cloud.   You can’t unplug cables, you can’t carry away your backups in a briefcase,  and you can’t restore elsewhere.   You’re not the owner anymore.  With public cloud, you’ve outsourced the battle.  The battle is now between your cloud provider and the hacker.   Will the cloud fight as hard for you as you would fight for yourself?   Probably not.  In fact I guarantee it.   The cloud will point their finger at you and call it a day.

If you’re going to use the cloud, your physical infrastructure needs to be the root that controls it all.    Don’t think of a cloud as a way to “keep your stuff safe”, think of it as a pace where you temporarily place your stuff to get a specific job done.   It could be there one day, gone the next – just like a cloud.   You should always remain the physical owner of your data and of your key infrastructure.





Value of Personal Computing in the Cloud Era

I got my first computer when I was around 10 years old. It was a ZX80 clone with a whopping 64K of RAM. I had a game of pong on that came on a cassette tape and took 30 minutes to load. Sounds annoying now, but at the time, it was the most awesome thing ever. It was magic. As my programming skills improved and as I saw Moore’s law rip open previous computing limits, that sense of magic became internal and intimate. It changed from “wow, look at what that neat box can do”, to “wow, I’m wielding this magic at my fingertips”.   It’s not an accident that computer programmers and system admins are called wizards. When they place their fingers on a keyboard feels like wielding a magic wand. The possibilities feel endless. They are endless.

A personal computer is an intimate extension of our brains. It makes us think faster with powerful CPUs, have photographic memory with gigantic storage, analyze sort and distill information with smart algorithms, have telepathic powers through internet communication and it creates a playground for our imagination through virtual worlds and simulations. Personal computers are the vessel for electronic thoughts. Just as thoughts are personal and private, so is private computing. It’s a personal and private experience.

Cloud computing takes the closely held magic away from us and places it in the hands of a powerful corporation. If you are a magic user rather than magic wizard, this doesn’t seem like a big difference. After all you still reap the benefits, you still touch your precious keyboard and with a press of a button magic happens. The key difference is that with personal computers you own that magic – it’s personal. With cloud computing that magic happens at someone else’s bidding. The user is merely presented with the end result. It’s magic for rent.   It’s a satisfying illusion. When you use cloud computing, you’ve put away your wizard’s wand and substituted it for a fancy TV remote control. Often cloud computing magic appears more powerful than what you could ever hope to accomplish on your own. For that reason it’s tempting to put away your dusty old wand and to follow the rest of the herd away from that dried up patch of pasture you call “yours”, to a never-ending green field shared by all. Unlike personal computing, cloud computing is also easy, it doesn’t force you to learn and it doesn’t demand you to work. Most importantly doesn’t demand answers to any questions. The only thing is to open your mouth, chew and swallow that juicy green grass.

Does this mean cloud computing is always a bad idea? Certainly not. Personal computing is not about living in a cave as a hermit. It’s about defining limits. Personal computing is a question. What is yours and private? What is shared? What is off limits? What should always stay personal? What is the value of your privacy? What can you afford to let float into the cloud? What will you share? What will you keep secret? And when you are ready to head off to the never-ending green field shared by all, ask yourself: Who owns that field? Will it always be green and never-ending? Who makes the rules while I’m there? And most importantly, can I get best of both worlds? Can I visit the never ending green field for a few hours and return back to my own place at a moment’s notice? Or am I entering a one way corral? Can I keep my wand? Or do I have to trade-it-in for a remote control at the gate?

Draw a boundary; define your kingdom – no matter how big or small. Ask yourself, can I claim that territory my own the same way as I claim my mind my own?

Am I free? Will I remain free?