Permaculture Zones and IT Security

March 22, 2016 Chris Nelson

Part 2: The Six Zones of Permaculture

This is part two of a three-part blog series based on a webinar I recently gave titled Using Permaculture to Cultivate a Sustainable Security Program.

In our last post “Permaculture Meets Information Security“, we looked at the design principles behind permaculture—care of the Earth (or the system), care of the people, and reinvest the surplus—and how we can use these ethics as lenses to view and optimize our approach to information security. Now we’re going to take a look at the six permaculture zones and how they can be used to prioritize work.

Permaculture zones are used to organize design elements based on frequency of use or need. The lowest number (0) denotes the most frequently touched, while the outermost (5) number is equivalent to wild land, requiring no human effort to produce anything. Zones are used to prioritize effort, enabling you to initially focus on immediate value, smaller solutions, and those items needed on a more frequent basis.

Permaculture Zones

Zone 0 is the center from which we work. The goal is to reduce energy, harness resources, and create a harmonious, sustainable environment in which to (live and) work. This puts us in the ideal state to address the remaining zones.

Zone 1 is where system elements needing the most frequent attention are located. It also contains those elements requiring continuous observation (monitoring) and complex techniques. This zone should be designed to ensure the environment optimally serves our needs.

Zone 2 is a “hygiene” zone, where we place elements requiring maintenance, but not a great deal of creative input.

Zone 3 is where the main system elements are located. Once established, they require minimal effort to deliver planned results.

Zone 4 is a semi-wild area, containing elements which might need to be occasionally checked to ensure they’re still functioning correctly—but otherwise require no human input.

Zone 5 is the wilderness, where human intervention is limited to observation of natural cycles. It’s the place we learn the rules we aim to apply to work in the inner zones.

Aligning information security processes and controls to permaculture zones

So how do security concepts line up with this zoned approach? For the purpose of illustration, let's assume the following:

  • You receive 25 – 50 IDS alerts a day,
  • You update your malware system or respond to alerts ten times a week,
  • You review VPN logs once a day, and;
  • You deploy one static code analysis a day.

Using this information you can begin to align your tools with specific zones:

  • IDS is in Zone 1 because these alerts happen frequently, are a strong indicator of compromise, but don’t involve much interaction time.
  • Malware issues have a similar pattern to IDS alerts, but the incidents are less frequent, pushing them out to Zone 2.
  • VPN log reviews and static code analyses fall into Zone 3, thanks to less-frequent occurrences (but a need for greater human intervention during such occurrences).

Ultimately you end up with something like:

Security Processes and Permaculture zones

These are not hard-and-fast rules. If you do multiple code commits per day, for example, static code analysis would fall into a lower-numbered zone. Essentially, zone alignment is based on the number of times you need to touch the security control. It’s a great way to begin the application of the design principle—from patterns to details.

Applying zoning to your systems

The most effective way to apply the zoning model to your environment is to bring together components that complement each other, and then look for opportunities to stack functions for increased efficiency. If every element serves at least two functions, the efficiency quotient automatically improves—but beware of loading so many functions onto an element that it collapses under its own weight.

Here is how a farmer, whose primary crop is squash, might do function stacking:

The crop sits in Premaculture Zone 3 because squash needs little human intervention between planting and harvest. However, the farmer has concerns about squash bug infestations and, because the farm is organic, natural pest controls must be used. He plants radishes between the squash plants, because they repel squash bugs—plus he gets to harvest them as an additional crop. But if he adds a third crop to the same field, he runs the risk of draining too much nutrition from the soil, thereby impacting the yield value of all three crops.

In the world of information systems, areas like configuration management utilize function stacking. Not only does it reduce the time (and touch factor) required to deploy systems, but the control standards thus enforced also lead to a significant reduction in management and maintenance complexity. But if you were to try to make configuration management also handle all your patching and updating requirements, for example, you would run the risk of unanticipated incompatibilities with apps added by users.

Bringing it all together

Permaculture design incorporates other concepts that enhance the 12 design principles and their associated zones of priority. In the final post of this series, we’ll look at the yin and yang of permaculture, and how you can harness your natural environment cycles to deliver the greatest benefit to your organization.

Want to watch the full webinar?  

View the full webinar here: Using Permaculture to Cultivate a Sustainable Security Program.

About the Author

Chris Nelson

Chris has a passion for security, especially building security programs and teams in incredibly dynamic organizations. Chris joins Distil Networks as the Director of Security, where he will continue to expand on experimenting with Permaculture in the design and implementation of security programs and controls. At the end of the day, it is the Permaculture ethic “Care for People” that drives him most. Throughout his career in every type of organization from government to Fortune 500 he has seen how focusing on that foundation drives better results, unless you are looking for spectacular failure, then it’s ok to ignore that ethic.

More Content by Chris Nelson
Previous Article
Infographic: The Inconvenient Truth About API Security
Infographic: The Inconvenient Truth About API Security

The Inconvenient Truth About API Security: Infographic. Who should be responsible to API Security? API Dev...

Next Article
Permaculture Meets Information Security
Permaculture Meets Information Security

Permaculture Meets Information Security. Use design principles observed in natural ecosystems and apply the...