Proscriptive adoption of information security standards like ISO27001 is bound to fail, according to Joel Weise, principal engineer and chief technologist, Sun client services security program office, Sun Microsystems.

"Organizations that take the proscriptive approach see security standards as 'to do' lists, when in fact they are only suggested frameworks," Weise said. "This approach will never work as it simply does not consider the organization's particular needs."

Weise said that organizations should build specific security architecture for their particular IT infrastructure that is applicable to business and technical needs.

To build security architecture, the organization should consider an 'adaptive security' approach, Weise said. "Adaptive security is a framework for elaborating a comprehensive architecture that enables cost effective risk management for threat containment," he said. "It also seeks to improve operational efficiency and system survivability."

Business complexity

According to Weise, Sun's chief technologist office team came up with the concept of adaptive security, based on works by others.

"Our observation that biological and ecological systems appear to have very reasonable survival capabilities drove the emergence of this concept," Weise said. "So we looked to nature for an appropriate security metaphor."

Feedback from Sun's customers that the business environment has become too complex for the IT department to deal with is another driving factor, Weise said. "For example, the rise of the internet and managed services has added to complexity."

Weise noted that as environmental complexity increases, system security decreases. "Threats are developing faster than counter-measures, while a homogenous IT environment allows a 'pandemic' to spread quickly."

The chief technologist pointed to the parallel situation in nature where H5N1 bird flu has caused high mortality rates among infected people. "In the same way, if a cyber attack brings down one server in a data center, all other servers may follow," he said.

"Adaptive security seeks to mimic biological auto immune systems at the microscopic level and ecological systems of disparate entities at the macroscopic level," Weise said. "It is not defined by a single system or process."

Adaptive security

Biological systems use immune systems to dynamically respond to threats, while stem cells can be used as a foundation to 'repair' other body elements, Weise noted. Additionally, the human body can discriminate between 'self' features and foreign bodies like liver transplants, which may be rejected.

From a macro perspective, survival of the ecological system does not depend upon the survival of any individual entity. "Ecosystems are by definition diverse and this contributes to their resilience," Weise said.

Weise said that in the same way, IT systems may be designed to adaptively respond to different threats, with self-regulating, self-healing and self-protecting abilities. "This includes the ability to 'know' normal conditions and detect abnormal system behaviors."

Specifically, adaptive security seeks to reduce threat amplification, area vulnerable to attack and system recovery time in the event of an attack, Weise said. Other objectives include ensuring availability and reliability of data and processing resources, as well as reducing attack speed.