Permaculture Meets Information Security

March 9, 2016 Chris Nelson

It’s OK—you haven’t stumbled into a farming blog by mistake.

I recently gave a webinar in which I took the principles of permaculture—the practice of using design principles observed in natural ecosystems—and applied them to the world of information security. The synchronicity is actually quite remarkable. It’s also sufficiently valuable as a model, so we’re devoting a three-part series to examining 1) the various aspects of permaculture, and 2) how embracing its principles can improve the business of information security.

Permaculture focuses on harmonious integration—working with, rather than against, nature—and embracing collaboration over competition. Developed by Bill Mollison and David Holmgren in the mid-1970s, it embraces three basic ethics: care of the earth (or, in our case, the system), care of people, and reinvesting the surplus. By inviting us to view information security through these three lenses, Nelson suggests that we’re almost guaranteed to see immediate as well as long-term improvements.

As you read this series, think about some of the larger professional challenges you face. Lack of resources (people, technology, budget, or any combination thereof), competing priorities, balancing compliance requirements and business needs, awareness and training, enforcing policies or standards—all are appropriate for the application of permaculture principles, as you’ll come to see.

Part 1: The 12 Principles of Design

(part one of a three-part series)

Always begin with observation

Principle #1: Observe and interact

By taking the time to engage with our systems—as well as the teams designing, developing, managing, and using those systems—we can ensure our solutions are appropriate for both the immediate situation and the organization as a whole.

Principle #2: Integrate rather than segregate

By putting everything in its correct place, relationships develop between those things. This leads to their working together in support of each other and the whole.

Infosec teams can use this principle to insert security into every aspect of the organization.

From observation to design

Principle #3: Design from patterns to details

The patterns we observe in nature and society we also see in our systems and our teams.

Pattern recognition has long been a part of malware research. It’s particularly effective in a threat-centric approach to information security; patterns form the backbone of designs, and we fill in the details as we go.

Principle #4: Use small and slow solutions

Small and slow systems are more observable and maintainable than large ones.

This principle enables us to make better use of available resources and produce more sustainable outcomes. Such systems also allow for faster, more contained failures.

Principle #5: Use edges and value the marginal

The interface between systems is usually where the most interesting events happen.

Where the traditional data center meets the cloud is a great place to uncover increased business value and recycling of surplus outputs .

Optimize resource use

Principle #6: Use and value renewable resources and services

Make the best use of abundance while reducing churn and wasted efforts.

For example, the platform used for system monitoring can also be used for security monitoring, with the operational metrics supporting incident response..

Principle #7: Produce no waste

By valuing and using all available resources, nothing goes to waste.

How often is software purchased and never (fully) implemented? Consider also responsibility and requirements overlaps between security, privacy, and compliance teams.  Can the work of one team be performed collaboratively or on behalf of the others?

Principle #8: Catch and store energy

Systems that collect resources at times of peak abundance can provide fill-in resources in times of shortage.

This translates to continuously collecting information, not waiting for an incident, and sharing expertise across the organization.

Everything has positive resource potential

Principle #9: Use and value diversity

Diversity reduces vulnerability to a range of threats and takes advantage of its unique environment.

Principle nine argues in favor of multiple vendor solutions over single-vendor ones, making it tougher for the bad guys to get past all your security layers. While this increases complexity for your support teams, it also lets them learn additional products or platforms, further increasing their value to your organization or for future endeavors.

Principle #10: Apply self-regulation and accept feedback

Discourage inappropriate activity to ensure systems can continue to function optimally.

By balancing everyone’s needs, individuals are less likely to circumvent security measures. Continuous feedback loops help, too.

Principle #11: Creatively use and respond to change

Change is inevitable, so make sure you can have a positive impact.

This comes through observation and monitoring. For example, it may be advantageous to intervene at an appropriate time to adjust training provisions or monitoring practices.

Principle #12: Obtain a yield

It’s harvest time.

Are you delivering value to your teams and the organization as a whole? If you’re managing the state of the information security system as a whole and not just an individual elemental system, then you should be seeing significant yield in both categories.

Applying permaculture principles

How you apply these principles to your organization depends on your environment and the maturity of your security operations. Most will find that even taking an ad-hoc approach still produces measurable value-add. From this superficial review, it’s clear that investment in holistic care for your systems and your people has the potential for significant yield for reinvestment.

Coming Soon - Part 2: The Six Zones of Permaculture

Whether you’re building a new security organization from scratch, or fine tuning an existing program, don’t miss the next part of this blog series. Part two continues this permaculture analogy but focuses on increasing the value of this approach even further by using the “The Zones of Permaculture”.

Want to view the full webinar?  

Visit Distil on the web to check out Using Permaculture to Cultivate a Sustainable Security Program.

About the Author

Chris Nelson

Chris has a passion for security, especially building security programs and teams in incredibly dynamic organizations. Chris joins Distil Networks as the Director of Security, where he will continue to expand on experimenting with Permaculture in the design and implementation of security programs and controls. At the end of the day, it is the Permaculture ethic “Care for People” that drives him most. Throughout his career in every type of organization from government to Fortune 500 he has seen how focusing on that foundation drives better results, unless you are looking for spectacular failure, then it’s ok to ignore that ethic.

More Content by Chris Nelson
Previous Article
Permaculture Zones and IT Security
Permaculture Zones and IT Security

Permaculture Zones and IT Security. Align information security processes & controls to the six zones of pe...

Next Article
RSA 2016 Cyber Security Trifecta
RSA 2016 Cyber Security Trifecta

2016 RSA Conference Cyber Security Trifecta with Distil Networks : free prizes at booth #2441, a food truc...