Being a life-long techie, I’ve been working with the Open Systems Interconnection (OSI) model for over 30 years in various organisations and it is a tried and tested model on which all modern networks are based. I’ve also worked to secure each layer to ensure that communication and data transfer mechanisms conform to the well known triad of Confidentiality, Integrity and Availability.
Examples are securing Layer 1 (Physical layer) using bespoke hardware and software products to provide resilient and secure networking through to securing Layer 7 (Application layer) to limit and mitigate attacks on web applications. Us in the tech industry are well versed with these technologies and techniques and use them every day. They are ubiquitous and very well documented so organisations can pick and choose the flavour which will help them reduce their attack surface and provide compliant and hardened environments from which to work.
So that’s great news – software and hardware vendors provide us the tools to design, implement and maintain our super secure environments so once delivered, we’ll all be home in time for tea and medals.
But there is one crucial thing missing from this Utopian view of security … this is where Layer 8 comes in.
What is Layer 8 I hear you ask? The OSI model has been around since the early 80s and only contains 7 layers so you can’t just add on new ones! Layer 8 is a theoretical layer that sits above all the 7 layers and can be referred to as the “User Layer”.
As previously mentioned, we have all the tools so why add on an extra layer? This is because human beings need to put the relevant pieces together correctly to reach the desired state of security. Imagine buying a bookshelf from a certain Nordic flat-pack retail company. You have all the relevant parts and documentation to create the bookshelf but you don’t have the actual skills to piece them all together. If you continue without having the relevant skills, you may end up with a bookshelf that isn’t fit for purpose or, even worse, could actually be dangerous. Enabling Layer 8 security works along the same way of thinking. IT engineers and administrators need to understand how to build, configure and integrate the various products to reach an agreed end state using repeatable and compliant methodologies.
Above the User Layer, there are also the theoretical Organisation and Government layers which I may cover in a separate post.
There are a number of security related phrases which bear this out such as “Security is everyone’s responsibility”, “Security is a process not a product” and “Security is key to your business success”. By having fully trained and security aware staff across the whole organisation, you can start to create a “Security by Design” culture and begin to embed security processes earlier into the platform design and architecture processes.
Making this behavioural and cultural change to a DevSecOps focused mindset doesn’t happen overnight and it takes both perseverance and a willingness to change. This should come from both a bottom-up and a top-down approach. Engineers and developers need to embrace security either via osmosis through being part of a cross-functional team or through official training (either internal or external). Senior managers and CISOs should articulate the security requirements and risk management strategies across the organisation so that every member of staff understands why they need to build in security by default.
Technology is purely an enabler to create a more secure and robust environment. It is the people (Layer 8) implementing the technology in accordance with a documented security strategy that actually makes the magic happen.
Now, back to building my flat-pack bookshelf …