In an era when cybersecurity threats are more frequent and severe, Jeff Crume PhD, an IBM Distinguished Engineer and CTO of IBM Security Sales, discusses the crucial principles underlying effective cybersecurity.
The Obstacle Course:
"Cybersecurity needs a layered approach," he explains, underscoring the concept of "defense in depth." This principle, he notes, is about building multiple layers of protection around an asset, much like an ancient castle surrounded by walls, a moat, and other defensive measures. "You’re creating an obstacle course for the attacker," he says. "There’s no single security mechanism to protect a system; instead, a series of controls like multifactor authentication (MFA), firewalls, and endpoint security work together to ensure security."
One key element in defense in depth, he explains, is multifactor authentication. This ensures that users provide additional verification beyond a password, such as a security code sent to a device. "MFA is just one example," he adds. "Organizations can also add tools like endpoint detection and response software (EDR) to verify a device’s security status, ensuring it’s updated and compliant with security protocols." For him, defense in depth is about preparing for the worst. "If one control fails, others are in place to keep things secure."
The Principle of Least Privilege
He further highlights the "principle of least privilege," which grants users only the minimum access required to perform their jobs. "Only those who need access should have it, and only for as long as they need it," he says. "The idea is to remove unnecessary privileges, which reduces potential attack vectors." He illustrates this by describing how a web server, for instance, should only run essential services. "Turn off anything you’re not using," he advises. "Every service that’s enabled expands your attack surface."
He warns of "privilege creep," where users accumulate excess privileges over time as they change roles within an organization. "This is the opposite of least privilege," he remarks. "It’s a common problem, but it’s manageable with regular access reviews, where we check that every permission has a clear justification."
Separation of Duties
Another foundational principle he discusses is "separation of duties," which involves dividing responsibilities among multiple users so that no single person can compromise a system. "It’s like having two locks on a door and giving each key to a different person," he explains. "One person can’t open the door alone; it requires collaboration, which reduces the chance of unauthorized access." In an IT setting, this might mean having one person request access and another approve it. "Separation of duties forces collusion among multiple actors to break the system, which is much harder to do," he says.
According to Crume, an effective cybersecurity architecture must also be "secure by design." This means building security measures into every stage of the project lifecycle, from planning to deployment. "You wouldn’t build a skyscraper in an earthquake zone without designing for earthquakes," he points out. "The same goes for IT. Security can’t just be a patch you add at the end." In his view, secure systems are designed with security considerations embedded from the outset, allowing them to withstand vulnerabilities better.
K.I.S.S.
His fifth principle, "Keep It Simple, Stupid" (KISS), encourages simplifying security processes to avoid errors and user frustration. "Complexity is the enemy of security," he believes. "If you make the system too complex, users find ways around it." He explains that overcomplicating security protocols—like creating overly complex password rules—can often lead users to unsafe shortcuts, such as writing down passwords or reusing them across accounts. "You want a security system that’s simple enough for users to comply with easily, but tough enough to block bad actors."
However, he stresses that one principle is best avoided entirely: "security by obscurity." This approach relies on hiding system details, hoping that attackers won’t find weak points. "[Relying on secrecy alone] is not a reliable security strategy," he states. "It’s about creating glass-box security, not black-box security." In secure systems, everything but the key is public knowledge, as seen in reliable encryption methods like AES and RSA, where the algorithms are known, and only the key remains secret. "A robust system should stand strong even if every detail about it is public, except for the key," he asserts. "[When you hear claims of a ‘proprietary, unbreakable system’], it’s a red flag—run away."
In his view, cybersecurity’s complexity means it requires ongoing vigilance, skill, and balance between security and usability. "[Each of these principles] plays a role in creating a resilient cybersecurity framework," he emphasizes. "[When implemented together], they make a system harder for attackers to compromise while ensuring legitimate users can perform their work safely." His expertise suggests that these foundational principles provide not only a practical defense strategy but also a mindset for navigating the evolving world of cybersecurity threats.
Jeff's goal is clear: "Security is about being prepared, adaptable, and proactive." And as more organizations adopt these principles, he believes they’ll be better equipped to defend against increasingly sophisticated cyber threats. Link to the full video: Cybersecurity Architecture: Five Principles to Follow (and One to Avoid)
