Replacing the “coconut” security model with the “avocado”

Ever since I graduated as an engineer, I have been using the same successful internet security model with the following guiding principle: make it as difficult as possible to attackers to get into the network.

This model meant building a security architecture with multiple layers of controls. Sometimes, I ended up building models with the same control, but with different vendors; my thought was that if one vendor didn’t stop a threat, the other vendor could provide the coverage. I had been using this model for the last two decades. I call it the “coconut model”; it is very hard on the outside, almost unbreakable, and resistant to all types of threats. The “crown jewels,” safely inside that hard shell, would then be properly protected. At the same time, once you’re in, you can easily access data.

But attacks would still get through. Attackers became more sophisticated, using “zero-day” vulnerabilities and bypassing all controls. The model with a dual-vendor strategy did not work, because all vendors would be blind to zero-day vulnerabilities. Another consequence of this model was the complexity it created. Maintaining a cohesive and consistent configuration to enforce the company’s policy was becoming more and more challenging. And, not surprisingly, user experience suffered. There were multiple steps required just to get to applications and exasperated users would find ways to bypass the controls that were keeping them from doing their jobs. With the coconut model, maintaining a cohesive system has been a real challenge, and the time it takes to deploy a new policy and ensure its proper deployment has been a security operations Achilles' heel.

We need a new security model because the geometry of the network has changed. Applications have moved out of their physical locations inside the security perimeter and into the cloud. Users are working outside the enterprise perimeter, as well. I believe we need a new model based on controlling risk and, at the same time, taking user experience into account. After all, not all threats require the same level of countermeasures.

While the “coconut” model is based on protecting the inside by creating a very solid layer on the outside, I thought about reversing the concept. This new model would actually be very hard on the inside, where the critical data is protected. The outside would be soft, enabling users to connect to applications and collaborate internally and with their external customers and partners. I call this the “avocado” model: soft on the outside and really hard inside, protecting the crown Jewels. This model simplifies access for users and protects the enterprise’s key assets. This is the outer layer of the avocado. All assets do not need to be protected with the same controls. For example, intranet content, which is generally visible to all employees, does not require the same level of controls as the financial database or industrial plans application data. Key assets should be identified, and the adapted security controls should be implemented. This is the core of the avocado.

Many of the controls in this model have to be implemented in the cloud, as applications and users are moving to the cloud. The benefit of leveraging a cloud-based implementation is having a consistent configuration no matter where users are. Security policy is quickly deployed and committed.

So, goodbye to coconuts; and welcome to the avocados.