Simplicity: Complexity Resolved

"Any intelligent fool can make things bigger and more complex. It takes a touch of genius — and a lot of courage — to move in the opposite direction." — Albert Einstein

Last October, SpaceX made history by successfully catching its Super Heavy rocket in a pair of robotic arms known as "chopsticks." This seminal achievement was made possible not by adding complexity to the most advanced rockets the world has ever seen, but by stripping it away. CISOs should take note.

The workhorse powering this achievement was SpaceX's third-generation Raptor engine. Raptor 3 sports a far cleaner look than its predecessors. By using new techniques and reconsidering the need for exposed metal hardware and a heat shield, the engine weighs significantly less than earlier models, delivering 50% more thrust and 25% less weight. The streamlined design may also enhance lifespan and manufacturability.

Complexity is the enemy of security

SpaceX achieved the once-unthinkable not by adding components — and complexity — to its engine design, but by eliminating and optimising existing ones. Further, Lusser's Law tells us the failure rate for complex systems is the product of each component's probability of failure. Reducing the number of components reduces the risk of failure.

This should cause CISOs to reevaluate how we think about our IT environments. Consider the many components that make up legacy network security architecture — firewalls, SWGs, load balancers, DDoS mitigation, VDI, VPN, DLP — often in multiple instances per inbound/outbound DMZ. Each of these tools has a failure rate, and the failure rate of the complete system is higher than that of any individual component. "Failure" can take the form of a CVE, latency, inefficiency, impaired performance, defect, or end-of-life — the list is as long as our imaginations allow.

Many security executives have inherited these tools without a complete understanding of how they actually secure their environments. Another lock on the safe is always welcome added protection, right? Not so fast. It may, in fact, be just another point of failure vulnerable to any cybercriminal who has studied its weaknesses. More devices and a larger attack surface means more options for attackers.

Decoupling security from the network

Zero trust is an approach that de-emphasises perimeter-based protection — and all of its requisite point products — in favour of per-resource policy enforcement when a user requests access to a company asset. When conducted in the cloud, this brings the same benefits enjoyed by any other SASE application: a vendor's ability to specialise in its core value proposition, reduced reliance on manual procedures from clients, and a "cloud effect" of protection from known vulnerabilities. Single-scan, multi-action (SSMA) architecture means security checks happen more efficiently than service-chaining multiple point products.

Importantly, true zero trust cannot be a lift-and-shift of previous security capabilities to the cloud. Firewall and VPN vendors have tried these moves before and have been plagued by the same vulnerabilities affecting other security appliances. Various vendor-specific zero-day threats continue to add risk regardless of whether the underlying capabilities are hardware or cloud-based.

True zero trust architecture decouples security functions from the network, turning the network into simply the "plumbing" responsible for moving packets as quickly and reliably as possible. Traditional security DMZ functions can then be processed in parallel without the need for service chaining. Connection information is shared into memory where multiple, parallel engines apply policy checks to the data — providing the ability to build simple business policies, rather than complex network policies.

Zero trust architecture isn't rocket science. But, as in rocket science, stripping away unnecessary functions and streamlining existing ones is a step in the direction of simpler, more elegant solutions. So don't be afraid to aim high.