How leaders can reduce risk by shutting down security theater
Taylor Lehmann
Director, Office of the CISO, Google Cloud
Seth Rosenblatt
Security Editor, Google Cloud
Security theater in the cloud is a problem. Here's how you can help stop it.
Passwords and using an antiseptic swab on your skin before an injection have a lot in common. We believe that they are enough on their own to protect us from harm — be it decreased risk of infection, or cybercriminals accessing our data. Yet medical research tells us that infections at unswabbed injection sites are rare, and cybersecurity experts know that placing trust solely in passwords for identity authentication will fail.
Passwords that are the single factor of identity authentication have been known to be weak and easy to crack for decades. Importantly, they’re pervasive in organizations that have been compromised.
“The most common vector used to compromise any network, including cloud instances, is to take over an account’s credentials directly: either because there is no password, as with some default configurations, or because a credential has been leaked or recycled or is generally so weak as to be guessable,” concluded our Threat Horizons Report published in April.
Google Cloud researchers found that 41% of compromises they reviewed from 2022 were to blame on weak passwords. Mandiant researchers came to the same conclusion in their M-Trends 2023 report. In their study of cybersecurity incident investigations performed in 2022, they accused passwords of failing to protect organizations and their data.
“Adversaries leveraged stolen credentials more often in 2022 than 2021 in investigations where the initial infection vector was identified, at 14% and 9% respectively,” they wrote. “In many cases, investigations identified that credentials were likely stolen outside of the organization’s environment and then used against the organization, potentially due to reused passwords or use of personal accounts on corporate devices.”
Great feelings don’t result in more effective security — or less risk.
All said, relying solely on passwords as a form of identity authentication is an egregious form of security theater because it is so commonplace and so notoriously bad for security. Security theater refers to "security measures that make people feel more secure without doing anything to actually improve their security." When we execute security measures that are theatrical and not practical, we can do more harm than good.
How to detect security theater in your organization
Security teams might feel great saying that they completed a remote, inquiry-based vendor audit, or increased minimum password length from six characters to seven characters, but great feelings don’t result in more effective security — or less risk.
Too often, organizations don’t use their digital transformations and cloud migrations as opportunities to ditch security theater. By the same token, people’s lives and livelihoods depend on perpetuating a false sense of security.
To stretch our theatrical metaphor a bit, getting up on stage and “doing” practical security, not just pantomiming security theater, can take a bit of courage. Many reasons for engaging in security theater lack logical justification. Just because many organizations are engaging in security theater doesn’t mean your organization should.
Likewise, fearing the reaction of stakeholders is a poor reason to take part in security theater, as is stopping a security activity or tool that’s known to be weak, or participating in the toil of compliance exercises that don’t actually reduce your organization’s risk exposure.
Security theater is often accompanied by a side-stage performance of waste and toil. Think of security questionnaires used in many third-party security assessment programs: They take hours to design, hours to administer, and hours to respond to. They amount to digital paperwork pushed back and forth across email accounts and spreadsheets, with little value to show for all the effort — if any at all. How is either party more secure at the end?
The good news about security theater is that it is pretty obvious once you start looking for it. A good litmus test you can apply when investigating whether a security control actually creates value is to ask yourself if any of the following five characteristics are present:
Can you easily prove the control actually mitigates a relevant threat that you care about?
Can you easily bypass the control with low effort and low likelihood of the bypass getting caught?
Does the control execution require perfect human performance to work?
Is the control considered effective if the belief is that an adversary will fail to notice a weakness?
Do you find yourself recursively justifying the control and saying, “We do it because it’s a compliance requirement!”
Many compliance programs exist to establish a baseline level that security should never fall below, but stating a control exists only for compliance purposes usually means the organization isn’t addressing why the requirement exists. These are situations that should be evaluated closely. Additionally, doing something purely for the sake of compliance without an adjacent customer, commercial, or resilience benefit is exactly the kind of security theater that can increase your organization’s risk.
Security theater thrives in the absence of evidence. Controls should provide value and measurably reduce risk. (One way to do that is with a red team.) Think about adding these questions to your next risk and control assessment or audit, and you’ll be on your way towards reducing security risks — and reducing security theater.
Embracing practical security, security theater’s opposite
We can avoid security theater in the password space with tools like two-factor authentication, including the use of a hardware security key such as Google’s Titan key and passkeys — a “passwordless” alternative that’s gaining popularity.
The more organizations that invest in modern, cloud-first and cloud-focused security, the more we’re able to shut down cloud security theater.
Similar to passwords, porting legacy security controls and systems instead of building them fresh in the cloud is a hot ticket to more security theater. Cloud security experts have been advising against stopping their security transformations after “lift and shift” for years, in large part because the effort involved creates the feeling of having secured cloud data and systems without actually making systems more secure or reducing risk. An insecure server in an on-premise data center can be just as insecure in the cloud if the same basic steps aren’t taken to protect it.
In fact, “lift and shift” is a great way to increase the risks you face from today’s threats because it often can lead to increased costs, stagnated user experiences, and time-consuming, mandated reporting. Legacy systems ported to the cloud are notorious for becoming data roadblocks and for making it harder to achieve compliance with regulatory requirements, since many of those systems were designed before current regulations came into effect. Security is improved as systems are refactored to take advantage of cloud-first services, such as serverless platforms, where most of the security is built-in for you.
Graduating to more effective security
The good news about security theater and the enhanced risk that often accompanies it is that, in some ways, it is being engineered into the tech equivalent of off-off-off-Broadway venues — the more organizations that invest in modern, cloud-first and cloud-focused security, the more we’re able to shut down cloud security theater.
We can see this happening with the current era of IT modernization. Organizations undergoing their digital transformations are upgrading their technology to cloud-first services that are secure by design and by default, and have security built in at a foundational level.
As organizations turn to technologies that rely on cloud-based, software-defined infrastructure, they’re tapping into constant security updates and the wider cloud security ecosystem. Adopting systems that have been purpose-built with stronger security at the foundational level, the same approach that we at Google have been prioritizing for decades, means that we may yet see practical security’s star rise, and theatrical security fall out of the limelight.