BioMimicry: 5 Security Design Principles from the Field of Cellular Biology

The Human Factor

In today’s threat landscape, it’s increasingly necessary to ensure your organizational design for security is responsive — that leaders prioritize building technology AND people power to stay as nimble as adversaries.
 
 Information Security is often addressed via it’s technical components: a new net patch, encryption service, or private network to keep us safe.
 
 And yet, experts in information security consistently cite the human factor as the biggest vulnerability to any organization. PriceWaterhouse Coopers’ State of Cybercrime Survey found that:

  • 44% of data breaches are attributable to insiders.
  • 90% of insiders displayed no worrying characteristics prior to their attacks.
  • 80% of attacks are committed during work hours on company issued software.

Indeed, designing security systems doesn’t begin with an email from information security, demanding your team get behind your enterprises’ new policy on single sign-on. Today’s connected world means that end-points proliferate faster than barriers can be erected to prevent risk. The future of security necessitates interdisciplinary teams, working together. Security isn’t a mandate from a specialized office: it’s a new way of life we all must adapt to.
 
 It is a change in mindset to think proactively about security instead of defaulting to: “it’s someone else’s problem.” What’s needed is an approach to security innovation that manages this paradigm shift, while ensuring scalability, sustainability, and of course — growth.

BioMimicry Design

BioMimicry is an approach to innovation that seeks solutions to human challenges by emulating nature’s time-tested patterns and strategies. Formally, it means the design and production of materials, structures, and systems that are modeled on biological entities and processes.

The functionality of a vacuole, a biological structure that guards and promotes growth, illuminates the value of adaptability as a guiding principle for security. The functions and significance of vacuoles vary greatly according to the type of cell in which they are present, and these membrane-bound organelles are present in all plant and fungal cells. Vacuoles are enclosed compartments filled with water containing inorganic and organic molecules, and are formed by the fusion of multiple membrane vesicles. Fractal in nature, the organelle has no basic shape or size; its structure varies according to the requirements of the cell
 
 A given vacuole’s function depends on what they are storing. Vacuoles contain what’s crucial for survival of the cell, export and ferry waste products, all while maintaining an environment that allows for flourishing of resources. They accomplish this by maintaining adequate pressure and an acidic internal pH. Finally, the vacuole functions to isolate threats and to promote growth and scalability of the organelle.
 
 A vacuole provides a localized place for processes in the cell to happen. Without vacuoles isolating, transporting, and moving things around the cell, it would die. A unique quality of a vacuole is its ability to merge with a membrane, become part of it, and unmerge.
 
 This is a highly agile way to conceptualize the role of security. More concretely, it provides guiding principles for all security professionals to keep top of mind when designing code, programs, and architecture:

Function 1: Contain What’s Necessary

Vacuoles can contain just about anything, isolating substances to create specific environments. For example, a function of vacuoles in plant cells is to contain water.
 
When designing for information security, interdisciplinary teams should make the decision of what pieces of data are valuable and cannot be lost. Is it a data pairing? A customer email in conjunction with a shopping list? Ensure you have a prioritized list of what data is of highest value if compromised. Security design should ensure that the most important, sustaining priority of the business (a particular capability, function, metric, motion, data pairing), is identified and retained at all costs. It is through this that the entire organization lives.

Function 2: Export Waste Products

Vacuoles function to export unwanted substances from the cell. Ensure that you are thinking proactively about how anomalies within data will be detected, flagged for review, and then automatically eliminated from the system. In addition to a data deletion and purging strategy, think about ways to proactively flag data known to be problematic — for instance, anything that falls within new European Union guidelines.

Function 3: Maintain Pressure & Balance

A vacuole maintains internal hydrostatic pressure, within the cell. A vacuole will get bigger or smaller to maintain the pressure.

Similarly, a security system should be designed for various levels of attack and pressure. A homeostasis point should be identified, and abnormalities detected and investigated. Behavioral nudges — like channel factors, command authority, and priming — should all be utilized to maintain a cultural, technological, and role-based system where a certain baseline threat level is identified and maintained.

Function 4: Isolate Threats

A vacuole isolates materials that might be harmful or threaten the cell.
 
 A guiding principle for security design is to not design only around detection, but also for isolation of potential harm. Implement principles of least privilege, form interdisciplinary committees to iterate on what constitutes a threat, and set thresholds of containment. It’s not enough to leave it to Information Security to determine harm — the entire enterprise must be involved in helping tag and identify potential anomalies.

Function 5: Scale & Grow

Vacuoles increase in size, allowing the germinating plant or its organs (such as leaves) to grow very quickly and using up mostly just water. Similarly, your information security plan must think about scalability at every point. The temptation to shut down systems in the face of potential threats is always there; the more difficult question is how to grow decentralized control that is embedded, at a cellular level, within your design.

In Conclusion

Information Security will increasingly be a competency required by everyone in an organization. Designing the future of security systems, enterprises can look to no better guide than cellular biology to help shape a posture of adaptive resilience.