BlogZero TrustCloud SecurityCybersecurity Risk & StrategyCloudSecurity
Blog10 minute read

The Life of a Security Girl

In honor of Cybersecurity Awareness Month, we're calling out all the masterminds to show that understanding your digital defense shouldn't feel like you just need to tolerate it. Instead, we'll map essential concepts to Taylor Swift's newest hits so you can shake it off and finally realize that having a security strategy is your ultimate getaway car to safety, ensuring your data is always safe and sound.

In case you didn't know, October is Cyber Security Awareness Month, a time for us to encourage important conversations about cybersecurity and promote online safety for everyone. If you're not already working in this field, it can be a daunting subject. While headlines often focus on hackers and cyber warfare, there are many security concepts that we all should know, because they truly impact us all. Because of this, I wanted to find a way to make cybersecurity feel more approachable and relatable to a wider audience.

Another notable event to take place this October happens to be the release of Taylor Swift's new album, The Life of a Showgirl. A wide demographic of people across the world are Taylor Swift fans, but from my perspective, there isn't a large overlap of Taylor Swift fans and security professionals. So, I have challenged myself to find a way to relate six songs on her new album to cybersecurity concepts, specifically the security of cloud platforms, because that happens to be where I focus most of my time and energy.

This is for the Swifties who are new to the world of cyber or information security, and maybe even for the security professionals who want to better understand the lore of Taylor Swift songs.

The Fate of Ophelia

"The Fate of Ophelia" is a song based on the story of a character, Ophelia, in William Shakespeare's Hamlet. In this story, Ophelia is mistreated and ultimately rejected by her love interest, Hamlet. This rejection and emotional distress caused by Hamlet and other related circumstances lead to her falling into madness and suffering a tragic death. Swift relates this story to her own life, saying that she was nearing a similar fate to Ophelia but was pulled out of her own cycle of failure in love by her current fiancé, a certain football star, therefore avoiding the fate of Ophelia.

While there may not be any grand stories of love and football stars within the world of cybersecurity, we can tie this back to a security concept that will similarly save companies from a devastating fate, incident response (IR). IR is a preparedness plan, enforcing the idea that companies should identify potential threats and establish a response process to diminish the extent of damage that could be caused by an incident. The IR lifecycle includes four phases:

  1. Preparation
  2. Detection and Analysis
  3. Containment, Eradication, Recovery
  4. Post Incident Analysis

The overarching idea is that companies should always have a plan and be prepared for the worst so that when an incident occurs, they can quickly jump into action, analyze the threat, contain the incident and recover from any damage. They then dissect these events and use what they learned to continuously improve their IR plan. In short, IR can save a company from the fate of Ophelia.

Father Figure

"Father Figure" looks back on a time in Swift's life when she faced betrayal by someone she once trusted. It is believed that this song is referring to a well-known incident in her life in which her record label sold her masters (the original recordings of her music) without her consent. This resulted in her losing ownership and control over how her music is released and monetized. Overall, the theme of this song revolves around power dynamics in a professional relationship and highlights how much can go wrong without a strong, undeniable trust between the parties involved.

When managing traditional, on-premises technology infrastructure, you have complete control. Every piece of hardware and software belongs to you, which means the responsibility of securing that infrastructure is solely your responsibility. When it comes to cloud computing, this changes quite a bit. In the cloud, customers access compute, storage and network technologies entirely over the internet. The cloud provider has control of the underlying infrastructure and, by extension, the security measures that protect those technologies.

The Shared Responsibility Model is a very important framework that divides which aspects of the technology stack are secured by the provider and which remain the customer's responsibility. Below is an example that shows how these responsibilities may be divided.

https://www.cisecurity.org/insights/blog/shared-responsibility-cloud-security-what-you-need-to-know

How does this relate to Taylor Swift? Much like her experience with her record label, cloud providers possess significant power in their professional relationships with customers. When you use their technology, it is important to understand the security controls they have in place. As an example, you inherit the compliance standards of your cloud provider, meaning that if your provider fails to meet the industry regulations your company is subject to, your company also falls out of compliance. Cloud providers operate under strict regulations and are motivated to maintain strong security controls, so using cloud platforms does not automatically put your data at risk. However, there are many important factors to consider before migrating to the cloud. The Shared Responsibility Model offers a helpful map for dividing roles between customer and provider, but it is crucial to remember that the customer ultimately holds responsibility for everything they deploy. After all, it is the customer's data and reputation at stake if those security controls were to fail.

Wi$h Li$t

"Wi$h Li$t" is a song that runs through major life goals that people tend to have. Every person has a dream, whether that is to live a luxurious life with a yacht, to become a professional athlete or to move off the grid and live out of a van down by the river. Swift is a prime example of someone who has not only achieved her dreams but has continuously surpassed any expectations of where that dream would lead her. Although she begins to share a different dream in this song, one in which she lives an easier life in the suburbs with her family.  It just goes to show that no matter what we have achieved in our lives, there is always going to be something more that we are reaching towards. 

As we think of this in the context of security, there is one concept that security professionals dream of achieving, and it happens to be a goal that always seems out of reach. That concept is zero trust. Zero trust is an idea that no user or device should be implicitly trusted by a network. Every action, whether a user is entering the network or already operating inside it, must be verified before access is granted. Zero trust is an ideology that cannot be fully achieved in a literal sense because the core nature of it, never trusting anyone or anything, does not allow for business operations to run smoothly. However, zero trust principles and tangible controls can be successfully applied to promote important ideas while still operating in a way that allows for business to be conducted. If you are interested in learning more about what zero trust is or is not, take a moment to read Zero Trust: Fact or Fiction? 

CANCELLED!

Now this could go in two different directions. "Cancelled" is a pop culture term that is used to describe a public figure being discredited, shamed, and expelled from the good graces of the public because they were involved in some scandal that was deemed unforgivable by people on the internet. My initial thought was to relate this term to the loss of reputation that a company would experience if it were to be breached. Customers would instantly trust the company less if it were responsible for the loss of their personal data.

Swift's song, "CANCELLED!", takes a little bit of a different approach. Swift explains that she likes it when her friends have been "cancelled" because they better understand the ups and downs of experiencing that public shame and will be more likely to be empathetic because of it. This would be like saying that a company that has been breached would be more likely to understand the overall impact of what might happen and therefore would be better prepared. I believe we can get there without having to experience the worst-case scenario, and so does the security world with the concept of "assume breach". This concept means that security teams should always assume the worst-case scenario will happen, and act in a way that will allow them to prevent as much as possible, but then quickly detect, respond and adapt.

Honey

"Honey" shows how words can change meaning over time, based on context. In Swift's experience, words such as honey and sweetheart have often been used towards her in a passive-aggressive or cruel way, leading to those previously endearing words taking on a different meaning in her mind. But this was flipped again when her fiancé started using these pet names in a loving manner. 

From the overall theme, we know that words can be redefined based on the context of the situation. One word that I've seen in many contexts in the security world is "agent". An agent is installed on an endpoint, such as a laptop, server, virtual machine, etc., for security purposes. What was once a good thing quickly became a nuisance because agents can impact the speed and responsiveness of these endpoints, most notably when multiple agents are installed on the same machine (which is typically the case). This is even more of an issue when considering cloud workloads, which are specifically designed to enhance speed, scale, and agility. 

So "agent" became our version of "honey" in a sense. While agents are not going to be completely eliminated just yet, there are some alternatives that may lighten the burden, such as utilizing agentless scanning of cloud workloads. There is also a cloud-friendly runtime agent called eBPF. An eBPF agent is a lightweight, non-invasive version of an agent that can be installed on Linux-based systems. This is an option that has been highly thought of when running cloud resources because it does not have as much of a burden as a typical user-space agent would have. In conclusion, there is hope.

The Life of a Showgirl

The final song on the album is the title track, "The Life of a Showgirl." In this song, Swift explores the life of a fictional character who happens to be a showgirl. The main character is approached by a younger girl who is interested in the business. Throughout the song, the message the main character is giving to the young hopeful is that what you see is not what you get; the real life behind the glamorous image seen on stage is often undesirable. 

This is often true for any profession; the background work is always going to be hidden behind the end product, no matter how much effort was put in to get to that point. For example, as security professionals, we are tasked with protecting our company from security breaches by implementing stringent controls. However, these controls can cause negative impacts to the overall user experience and efficiency of business processes, which is not acceptable. Because of this, security teams can be labeled as "blockers" for requiring employees to slow down and prioritize security over immediate efficiency.

Conclusion

In the end, we've learned that Taylor Swift songs and cybersecurity concepts actually do have a little bit in common. Not because they have any tangible similarities, but because both have broad, overall themes that speak to common human experiences. Cyber security has many important concepts that everyone should understand, even if we follow them in our personal technology use, but sometimes, we just need to hear them in a different way for them to resonate.