When I was six years old, my parents bought a car that had a cassette player in it. From that moment began years of listening to my parents’ 60s music during car rides. To say that those artists and songs had an impact on me and the way I view the world would be an understatement.
When my father passed in June, 2023, it catalyzed quite a bit of thinking, analysis, and introspection, as one might imagine it would. Some of what I reviewed in my mind were the artists and songs featured during all of those car rides. It turns out that one artist, in particular, had written a song whose lyrics would inspire my keynote at the 2024 FS-ISAC Fall Summit.
That keynote was entitled, “What Joni Mitchell Can Teach Us About Our Security Journey”. You may be asking yourself what exactly Joni Mitchell has to do with security at all and what might have inspired me? Well, as it turns out, quite a bit more than you might initially expect.
To understand where I’m going with this, let’s begin by analyzing the first three stanzas of Joni Mitchell’s famous song “Both Sides Now”:
Stanza 1:
Rows and floes of angel hair
And ice cream castles in the air
And feather canyons everywhere
I’ve looked at clouds that way
In this first stanza, Joni describes a naive, innocent, blissful way of looking at clouds. This is reminiscent of the way in which many people viewed the cloud 15-20 years ago. The prevailing wisdom at the time was that everything would move to the cloud, and that the cloud would be the solution to many of the technology and security problems that plagued us at the time. Indeed, time has shown that to be a very naive, innocent, and blissful way of looking at the cloud.
Stanza 2:
But now they only block the sun
They rain and snow on everyone
So many things I would have done
But clouds got in my way
In the second stanza, Joni’s approach to clouds has changed quite a bit. She now describes negative experiences and effects that result from clouds. This is similar to the way in which many people view the cloud today. The reality that most enterprises find themselves in is one of hybrid and multi-cloud environments. The environments are extremely complex and bring with them increased risk, lack of telemetry/visibility, and lack of agility. It is a much darker, but perhaps more sober way of looking at the cloud.
Stanza 3:
I’ve looked at clouds from both sides now
From up and down, and still somehow
It’s cloud illusions I recall
I really don’t know clouds at all
In the third stanza, we see a more balanced approach to clouds that would appear to result from a bit of a life journey. Indeed, Joni seems to describe that clouds are in fact neither all good nor all bad. They are, like most things in life, complex. Further, Joni highlights that we can’t really know clouds, but rather, we can merely see one or more perspectives or vantage points that we can observe and internalize.
To me, this seems like where our thinking as a security field is headed as it relates to the cloud. The cloud brings with it plenty of advantages, while at the same time, it brings many challenges. It is a complex entity, neither all good nor all bad. Our experience with the cloud is a journey, just as Joni’s experience with physical clouds is a journey. If we embrace this complexity and this journey, we just might be able to change the way we approach security challenges and make new progress towards solving some of the chronic problems we face as a community.
Joni then goes on to describe this journey as it relates to love and life in the remaining six stanzas of the song, but that analysis is beyond the scope of this article. “Both Sides Now” is a great song – I highly recommend giving it a listen.
Coming back to our topic, given that security in modern infrastructures is a journey, and that it is okay for hybrid and multi-cloud environments to be complex, multi-dimensional, and make us a bit uncomfortable at times, let’s have a look at some data from F5’s 2024 State of Application Strategy report to understand a bit about the impact the cloud has had:
- The average financial company manages 601 APIs
- 88% of organizations operate in two or more environments
- 38% of organizations operate in six or more environments
- 56% of organizations make app-by-app deployment decisions
- 67% of app services are deployed in the cloud
Building on this insight, what lessons can we learn from Joni Mitchell and apply to our security programs? This is an important question, since due to business drivers around cost, innovation, remaining competitive, and speed to market, hybrid and multi-cloud environments are not going anywhere any time soon.
There are likely many lessons we can learn from Joni’s poetic lyrics, but here are a few:
- Take inspiration and lessons from various places: There are a lot of lessons that the world around us can teach us. We just need to open our eyes and minds and take it all in. We need to find inspiration in the analog world and apply it to security problems.
- Leverage the wisdom of other professions and genres: Most professions have been around far longer than the security profession. It would be foolish of us to think that we can’t learn a thing or two from those professions. After all, they’ve likely solved a few important problems during the course of their existence.
- It is okay to be moved and motivated by poetry: There is no shame in being moved by art, music, literature, and/or poetry. There are great works out there that people have created through inspiration, hard work, and dedication. Surely we can learn a thing or two from that in the security field.
- Embrace the cloud security journey as a good thing: Looking at cloud security as a journey is a good thing. That allows us to apply fresh thinking and new perspectives to hopefully address some of the persistent challenges that have been plaguing us as a field.
- Focus on the business angle and on being a partner: Security cannot be the Department of “No”. We need to understand the priorities, issues, and challenges the business faces. We need to build a partnership with the business to facilitate the business running profitably, effectively, and securely.
- Realize that we really don’t know clouds at all: As with most things in life, the cloud is sufficiently complex and multi-dimensional. We’re not going to be able to get to a ground truth, full understanding of the modern enterprise environment. Instead, we’ll have to take various perspectives and vantage points and base our decisions off them. As we do this, however, it is important to remember that we will never have a complete view, and as a result, we may encounter data from time to time that informs us that we need to course correct.
A Joni Mitchell song from the 1960s may initially seem like an odd place to find inspiration for security challenges. After coming along on this journey with me, however, I hope you’ll agree that Joni can teach us a lot about securing hybrid and multi-cloud environments. One thing is for sure – we need to expand beyond the conventional wisdom to effectively tackle some of today’s most pressing security challenges.
About The Author
Original post here
