The Stoic’s Guide to Cloud Security

“It is in times of security that the spirit should be preparing itself for difficult times; while fortune is bestowing favors on it is then is the time for it to be strengthened against her rebuffs.”
– Seneca

The Stoics were a school of thinkers in ancient Greece who developed a philosophy of personal ethics based on logic and integration with the laws of the natural world. It has become fashionable today to invoke the spirit of the Stoics for everything from product development strategies to long distance swimming because their advice was irreverent, yet sensible, and using it has helped athletes, world leaders, and business people perform better. It can even help those responsible for cloud environments to create and stick to a strategy for long term security.

In an effort to create an admirable and successful life path, the Stoics recommended using negative visualization and practicing misfortune. The idea is to create an experience and get your head around being in a worst case scenario. Visualizing that will ideally spur you to take steps to avoid that as an actual fate. It’s not a bad way to go because it enables you to try on failure without actually having to experience the repercussions of failure. In fact, it’s better because by working to avoid that failure, you can drive yourself in the opposite direction.

So how do we use the lessons from the Stoics, move past inertia, and get started on our path towards a more secure cloud environment? I started thinking about this in the context of GDPR. Those who are not in compliance with the standard by the May 25 deadline are liable to be fined the greater of either 20 million Euros or 4% of global annual revenue. Yet, preparing for GDPR is complicated in light of it’s fuzzy language. Some are choosing to take a wait-and-see approach, which will likely not end well. What would a Stoic do? He’d visualize having to go to his manager to explain why the company has to fork over 20 million Euros, and then consider the vitriol that will spew forth and the ensuing stress that will work its way up the chain of command, eventually to a board of directors meeting and his potential firing. Get that feeling in your gut and you will probably want to think backwards about how to avoid that fate.

That’s just GDPR. Think about your overall security and compliance posture. Consider being out of compliance with NIST – are you prepared to have your government contracts nullified? Or imagine not having comprehensive and continuous security automation, and think about what it must have been like when Equifax discovered their breach and had to watch $6 billion in market value evaporate within a week. Creating some control over all of this and using best practices to avoid a terrible outcome is dependent upon using this kind of Stoic negative visualization to avoid a bad situation.

The Stoic philosopher Seneca said, “Ignorance is the cause of fear,” but ignorance can no longer be an excuse. Over the past year, we’ve seen malware and ransomware top the list of offending hacks to major organizations. But there still exists a vibrant market for attacks with bots, DDoS, phishing, and even easier to discover issues like when an employee inadvertently neglects to secure an S3 bucket or leaves API keys in a public GitLab account. You have an advantage though, and that’s that you know these are possibilities, and you know how these kinds of attacks penetrate an organization’s environment.

Seneca also said, “Difficulties strengthen the mind, as labor does the body.” Therein is a core tenant of Stoic philosophy, but as part of a security team, you probably want to avoid actual difficulties. So it will help to consider the different types of potential issues and then work backwards to apply security automation along with rigorous cloud security best practices to strengthen your overall security posture. You can’t control the future, but you can make every effort to control your cloud environment.