The DIE Security Model for Small Business.

The DIE Security Model for Small Business.

In the realm of computer security there are two popular models:

  • The CIA Triad
  • The DIE Model

The CIA Triad is the "traditional" model. It is old (in computer terms...and so old that no one knows exactly when it was created), well established, easy to understand and easy to apply. I wrote a blog post about it here.

Reminder: CIA acronym for Confidentiality, Integrity, Accessibility.

The DIE Model is new-ish and was created by Sounil Yu to address the short-comings of the CIA Triad and in particular the challenges applying the CIA Triad to secure large decentralized systems.

In brief, the shortcomings of the CIA Triad are:

  • Requires 100% perfect knowledge, which is impossible to achieve.
  • Focuses on security information contained within systems, which becomes challenging as the quantity of information grows and as the information becomes increasingly decentralized.

What is the DIE Model?

DIE is an acronym for:

  • Distributed: preventing dependence on a single system
  • Immutable: making assets impossible to change
  • Ephemeral: designing assets to have a short and defined lifespan

Understanding the Differences Between the CIA Triad and the DIE Model

As mentioned above, the CIA Triad focuses on securing information within systems and reducing risks. The DIE Model focuses on securing infrastructure and reducing impact.

The popular analogy differentiating the two models l is describing technology assets in terms of "pets" vs. "cattle". In the CIA Triad assets are treated as "pets":

  • Valuable
  • Irreplaceable
  • To be secured, monitored and carefully repaired if damaged

In the DIE Model assets are treated as "cattle":

  • Expendable
  • Easily replaceable
  • Destroyed when damaged

In the DIE Model assets are designed to be as low in value as possible. Even if they are vulnerable, the impact is not worth the effort it takes to fully secure them.

In the realm of security this shift in attitude is immensely uncomfortable. The payoff is more resilient and quicker to recover systems and operations.

Applying the DIE Model to Small Business

In the context of security, the CIA Triad makes sense for small businesses. Small businesses are typically not managing massive numbers of servers. Small businesses do not typically have massive amounts of decentralized data. In most cases, small businesses are consumers, not providers, of these types of services and systems.

So, we are left with the question, "What value can a small business get from the DIE Model?"

In the context of security, not much. However, if we shift our context from security, then there are several ways the DIE Model can benefit a small business.

Let's look at each element:

Distributed

  • Are you reliant on a single location or single piece of equipment?
  • Can you access your data in multiple ways?

Examples:

  • When doing disaster recovery planning people tend to focus on the big events: power outages, hurricanes, flooding, etc. What about smaller events, like a storm where there is typically some notice and the impact is only the ability to travel or if the Internet goes out in your office. How quickly and easily can you shift your operations?
  • Lots of small businesses rely on cloud storage (i.e. Dropbox, OneDrive, etc.) and many users only know how to access their files one way. The same could be said for email...they know how to use Outlook, but what about accessing their email from a web browser?

Applying distributed thinking can be a simple as replacing desktop computers with laptops or training users on how to access their information in multiple ways.

Immutable

In the DIE Model immutability makes it easier to detect unauthorized changes in systems.

For small businesses the most applicable example for immutability is backups. Over the years I have encountered many businesses who conflate the idea of a copy of data with the immutability of data. One conversation I had with a business owner several years ago went something like this:

Me: "Do you have a backup?"

Business Owner: "Yes, we kept all our data in the cloud with Dropbox."

Me: "That is not a backup."

BO: "It is good enough for us."

Me: "Okaaay."

Several months later the business owner downloaded ransomware which proceeded to encrypt all the files on his hard drive. Since he was using Dropbox, these changes cascaded to the "backup" in the cloud. It cost thousands of dollars to repair.

After that he asked me to implement a proper backup.

Another example of immutability is email. In finacial services (i.e. broker dealers) there is a requirement that all electronic communications be audited. This is done by created an immutable copy of every email independent of the mail server. IMHO, having an immutable copy of email is valuable to all businesses even if there is not a industry requirement as it enables recreating communications even if the originals has been destroyed by accident or malfeasance.

Ephemeral

Ephemeral in the DIE model is the idea that systems are created and destroyed as needed. For cloud application providers the idea is that additional systems can be added when demand is high and destroyed when demand is low.

Imagine being able to treat your personal workstation as disposible. Not the hardware itself, but the configuration and user experience. Armed with the knowledge that should a computer break, disappear or be destroyed you can easily recreate all your configurations and customizations with minimal effort and time.

This is more complicated to do for an end user workstation than it is for identical virtual servers running in the cloud. However, even if 100% of the process cannot be automated imagine if 75, 85 or 90% of the work you do to setup a workstation were automated? The impact and value to productivity and disaster recovery is massive.

Just my 2 cents.