“Is an open system more secure than one shrouded in secrecy?” We explore this key question in cryptography, aiming to make this complex topic not only educational but enjoyable as well.
To kick off our exploration of this “interesting” field (because it is my personal endeavour to make this heavy topic fun and accessible), we ask two fundamental questions:
1. Open System or Security through Obscurity?
The former invites everyone, from tech wizards to curious hobbyists, to scrutinize, tinker, and challenge the system openly. With collective wisdom and continuous improvement, it strives to fortify the system against threats. The latter suggests that only the brightest minds build the system while guarding its secrets zealously. This approach believes that hackers won’t even know where to begin.
These questions merely scratch the surface of the intricacies of real-world scenarios. The heart of the matter lies in Kerckhoffs’s principle: a cryptosystem should remain secure even when all its workings, except the key, are public knowledge. This fundamental principle is at the core of modern cryptography.
2. Why Choose the Open System?
The open system concept hinges on faith in collective knowledge, fostering an environment of shared ideas, rigorous challenges, and learning from failures. In this approach, secrets lie not in the algorithms, but in safeguarding the keys. Modern cryptography seeks to protect and manage these keys effectively.
This approach credits the synergy of cryptographers and mathematicians from all corners of the globe who have invented, tested, and refined algorithms. The intricate details of encryption and decryption steps are not kept secret. Instead, they are available for anyone interested to study and improve upon. It encourages continual innovation and adaptation.
The open concept may seem counterintuitive, especially if you’re a fan of ancient Chinese martial arts. In stories like those by Jin Yong, famous for his “wuxia” novels, each clan guards its secret formula. Only a select few masters can follow and practice these techniques, and possessing such knowledge is akin to dominating the world of martial arts. Secrecy is paramount, and revealing the secrets to outsiders is unthinkable. (Fun fact: You might be familiar with the movie adaptation of his work in “Crouching Tiger, Hidden Dragon” in 2000)
In addition to cryptography, the Certified Cloud Security Professional (CCSP) course covers a wide array of topics, introducing publicly available practices, frameworks, and resources, many of which are free. This approach transforms CCSP into a veritable cloud security information portal, making it a valuable resource for both seasoned professionals and newcomers to the field.
(The following accordion gives sample topics and areas of interest for cyber and cloud security. The content is not meant to be comprehensive or exhaustive)
ISO1 & NIST2
ISO & NIST
ISO & ITIL
Cloud service provider(s)
1. ISO : International Organisation for Standardisation
2. NIST : National Institute of Standards and Technology (US government agency)
“Do not reinvent the wheel.” This is true in life, and in cloud security.
In the realm of cloud security, the solutions you seek have been in existence for some time, continuously evolving and improving. Therefore, before embarking on your cloud security journey, it’s wise to explore the assets and knowledge that’s readily available.
For cloud security practitioners, the true challenge lies in mastering the implementation of these proven methods. To draw an analogy, it’s akin to sharing the once-guarded secrets of a martial arts discipline. The key lies in interpreting and practicing these techniques to align with your unique goals, physical attributes, and available resources. Some seek to enhance speed, endurance, or power, while others must accommodate variations in height, flexibility, and muscular strength.
Now, let’s apply this martial arts-inspired approach to fortify cloud security:
1) Define Your Goals
At the heart of any successful endeavor is prioritisation.
Assess the most pressing concerns for your organisation and business. Suppose there’s a new compliance requirement related to Personal Identifiable Information (PII) that is non-negotiable. In this case, the path is clear – compliance is paramount. Taking the recent incident in Vegas, affecting MGM and Caesar’s (September 2023) as an example, it provides insights into what other players in your industry are probably doing, especially in light of recent events.
2) Know Thyself
Within your IT and Security teams, evaluate your relationships with top management and team dynamics.
- Consider the organisational culture – is it open to change or more conservative?
- Assess your team’s capabilities and identify any skill gaps.
- Gauge how cybersecurity is perceived within the broader business context.
- Is there adequate awareness among users
- Is there executive support for your cybersecurity initiatives?
Determine the necessary preparations from the business side.
3) Leverage Resources
It’s crucial to evaluate the resources at your disposal.
Are you expected to handle multiple responsibilities, in addition to cloud security? Consider the possibility of trade-offs in terms of timing and resource allocation. Explore whether this presents an opportunity to upskill your team or to instigate transformations in processes, technology, or architecture.
Invariably, there is no one-size-fits-all approach to enhancing cloud security that can be applied universally.
Every organisation must take into account the unique perspectives outlined above and create their own strategies and agendas. Given the dynamic nature of the external macro-environment and the potential shifts in internal priorities, agility and adaptability are essential attributes to navigate the ever-evolving landscape of cloud security effectively.
That’s it. I am off to read my next “wuxia” novel!
Learn more about CCSP today!