Permaculture in IT Security : Practical Applications

April 19, 2016 Chris Nelson

Part 3: Inside Permaculture Design

This is the final installment of a three-part blog series based on a recent webinar I gave titled Using Permaculture to Cultivate a Sustainable Security Program.
Now that you have a good understanding of permaculture’s fundamental principles and how they relate to the IT security world, let’s drill down into some of their practical applications.

The problem is the solution

This is a challenging concept for some people—whether something is positive or negative is entirely determined by how you view it.

In the garden, slugs are a problem. But if you add ducks, the slugs become a food source for them. And then the ducks provide eggs. In technology, an equivalent might be the training opportunities that arise when software developers deliver code that has vulnerabilities.

Get the most benefit from the least change

In the physical world, an example might be choosing a dam site that delivers the most water in relation to the least amount of earth that has to be moved. In the IT security world, an equivalent goal might be to remove admin rights from workstations, thereby immediately dropping the percentage of malware infections. This is a single action that can have a far-reaching positive effect on an entire organization.

Seeking order yields energy

Disorder consumes energy to no useful purpose whereas order and harmony free up energy for other uses. By embedding operations staff into development teams, for example, you can avoid inefficiencies caused by engineers attempting to simultaneously manage systems while writing code. That situation is fraught with chaotic possibilities, such as introducing code vulnerabilities, causing accounting problems, and ultimately creating more work for downstream departments on into the future.

Learn to harness natural cycles

Every cyclical event increases the opportunity for yield. Consider the software development lifecycle and the plan-build-run model: both are examples of technological cycles that can make IT security defect identification easier by coupling different tools to disparate stages.

In an Agile SDLC model, for example, you perform a static code analysis on code commit, run dynamic analysis during QA testing, a manual code review when accepting the story, and penetration testing at delivery. Coupling this with regular events, such as day-to-day pair programming, monthly static code analysis across the platform, and quarterly penetration testing, results in multiple opportunities to increase the likelihood of defect identification.

As a bonus, concurrent feedback loops also serve to identify control modification and training  needs.

Component diversity

Component diversity doesn’t guarantee stability or yield in and of itself. However, the beneficial connections between those components leads to stability—thereby maintaining a balance between diversity and capacity.

System efficiency depends in large part on how well components are integrated, as well as how capable they are at serving multiple functions. Remember, it’s all about collaboration.

Permitted and forced functions

Key system elements may supply many functions. However, if you force too many functions onto an element, it’ll buckle under the weight. Order is achieved by balancing simplicity and complexity.

The same applies to people. Allow your teams to use the full range of their skills to get the best results. Forcing them to focus on a single function, or spreading them too thinly across too many functions, violates the fundamental permaculture ethic of caring for people.

Work with nature rather than against it

“If we throw nature out the window, she comes back in the door with a pitchfork” (Masanobu Fukuoka, author of The One-Straw Revolution). Pesticides destroy beneficial as well as destructive insects; the following year brings an explosion of pests because there aren’t any predators to control them. If your security controls cause inconvenience to your users, they’ll bypass them.

When we build IT security policies and controls that function within the flow of the organization, enhanced security is the natural outcome.

Applying principles and laws to design

The life intervention principle tells us that, while chaos results in underperforming systems and unhappy people, we can escape that by applying creative order. The law of return dictates that whatever we take, we must return.

Our goal is to prevent system surpluses from disappearing before the basic needs of the whole system have been met. Every person or individual component affects the whole; collectively, we serve the goals of the system and ultimately the business.

Proper placement principle

Since we’re working on small solutions and iterative improvements, we’re learning as we go. By accepting from the outset that we don’t know everything, we’re in a better position for unexpected results. And those results are more likely to be favorable.

Obtaining exportable yields

This is the classic feedback loop applied in steps: get one critical project stabilized and working well before expanding to others. The military concept of observe, orient, decide, act (the OODA loop) is a great way to embrace the management flexibility required for this cycle.

Putting it all together

We’ve reached the end of the “theory” part. Let’s give a bit of thought to some practical applications for getting started.

Begin your design on paper and start small, expanding outward using the zones. Understand and acknowledge all of your realities—process, teams, personalities, technology—across the entire business. All the while remember that everything can be viewed as a positive once you know what you’re dealing with.

Every design is an assembly of parts. Your first priority should be to locate and cost those components. When you encounter scarcity, look closely at the resources you have around you, and how they might be able to serve the required function. However, don’t forget that relationships are everything, so don't do anything to jeopardize them.

Planning is critical, but don't let your plan get in the way of what you don't know. Account for that concept, work in small solutions, and iterate. Deliver small, easily achieved units at a time, each having clear value. Design success comes down to how it’s accepted and implemented by the people on the ground.

Mother (Nature) knows best

Despite our many attempts to disrupt her, Mother Nature has been managing the world pretty efficiently for many millions of years. Permaculture simply reminds us to listen to what she tells us, and apply it across every aspect of our life. We hope you've enjoyed this brief tour, and that we have inspired you to adopt some or all these concepts into your own programs.

If you’re interested in learning more about permaculture, two key books include: Permaculture: A Designer's Manual by Bill Mollison, and David Holmgren’s Permaculture: Principles and Pathways Beyond Sustainability. Permaculture design courses are available in person or online through the Permaculture Research Institute. Additional useful information can be found at and

To learn more about how Distil Networks can help you build on the permaculture approach to deliver seamless IT security within your organization, head on over to for your no-strings evaluation.

Want to watch the full webinar?  

Visit our website to watch the recording of Using Permaculture to Cultivate a Sustainable Security Program.

About the Author

Chris Nelson

Chris has a passion for security, especially building security programs and teams in incredibly dynamic organizations. Chris joins Distil Networks as the Director of Security, where he will continue to expand on experimenting with Permaculture in the design and implementation of security programs and controls. At the end of the day, it is the Permaculture ethic “Care for People” that drives him most. Throughout his career in every type of organization from government to Fortune 500 he has seen how focusing on that foundation drives better results, unless you are looking for spectacular failure, then it’s ok to ignore that ethic.

More Content by Chris Nelson
Previous Article
Cloudflare vs Tor: Is IP Blocking Causing More Harm than Good?
Cloudflare vs Tor: Is IP Blocking Causing More Harm than Good?

Cloudflare vs Tor: Is IP Blocking Causing More Harm than Good? CloudFlare blocks legitimate Tor users about...

Next Article
Why I Joined Distil Networks
Why I Joined Distil Networks