top of page

The Wall!

#TIL that the iconic image of the album cover for the famous album The Wall was not actually the original cover. In fact, the text “Pink Floyd The Wall” was a black or red sticker added on top of the plain album cover.

Just for fun, I had a quick look at how different sites rank the album, and found the results quite interesting. According to Wikipedia, The Wall sold 18.7 million copies, while Chart Masters ranks it at 284 at about 1.9 billion streams. I found a number of other lists and rankings of top albums, but they all appear to be based on some type of voting. As an example, Rolling Stone ranks the album at 129 and is based on a list of “more than 300 artists, producers, critics, and music-industry figures”. Either way, it is clear that the album was influential, and is still recognizable more than 40 years later.

The Wall is a concept album (an idea I have previously discussed) which uses the metaphor of a wall to explore ideas around abandonment and isolation. It follows events in the life of a rock star called Pink, who was apparently based in part on Syd Barrett (a founding member of the band) and on band member Roger Waters. The name Pink appeared previously in the song Have a Cigar (from the 1975 album Wish You Were Here), in the words of a record producer pretending to be a fan of the band, but who then says “Oh by the way, which one’s Pink?”

There have been endless discussions about the meaning of the album, the motivations behind it, and the degree to which it reflects the writer’s personal experiences and attitudes. I would highly recommend this as one album that needs to be listened to in it’s entirety, as the context of the album (and the subsequent movie) is essential to understanding it.

One of the major themes of the album is the danger of building walls to hide behind, and the fascist themes later in the album are an illustration of Pink’s descent into madness. The fact that some groups have actually taken these themes in an unironic way is astonishing in one way, but entirely predictable in another. (I found a fascinating site which discusses many of these themes in great detail, song by song)

In this current day and age, someone might say, for example, that “walls don’t work” as a shorthand for “walls, in isolation, are not the most effective means of addressing illegal immigration”. The (sadly) predictable response is likely to be something along the lines of “of course they work – if there’s a wall there, people can’t simply walk through”, an obvious strawman.

Without going down the rabbit-hole of discussions around the effectiveness of walls and a comparison with other available options, it is useful to mention the example of the Maginot Line. This was a line of fortifications built in the 1930s as a deterrent to invasion by Germany.

In fact, the fortifications were quite formidable, but there were two major problems with them. First, the most highly fortified section was the shared border with Germany, which left the parts of France which bordered Belgium and Luxembourg relatively lightly fortified. And second, the Maginot Line was very well suited to the trench warfare of World War I, rather than the Blitzkrieg (“Lightning War”) strategy adopted by the Germans in World War II.

In practice, the German army simply went around the fortifications.

Now, let’s put this into the context of modern InfoSec, shall we?

In the past, security often followed a “layered” approach, where the focus was on the “outer” defences, and internal traffic was considered “trusted” to some degree. The various defences depended on the value of the assets protected, and an attacker would (at least in theory) need to penetrate multiple independent “layers” of protection in order to access vital systems.

This approach had value when access to a network could be restricted with comparative ease. If the only way to access a network was to use a dedicated workstation within a secure office, any access from such a workstation could be presumed to be “trusted” (at least in theory).

Unfortunately, those days are long gone. Networks can (and do) include physical, virtual, and cloud servers, and are accessible from anywhere, through an endless variety of devices. If your security is based entirely on traditional layers of security from “outside/untrusted” to “inside/trusted”, anyone penetrating your “inner” network will be able to access everything. And with so many attack vectors, it is inevitable that something will be compromised at some point.

Nowadays, we hear a lot about “zero trust” as if it is some new and magical invention that will solve all our problems. It’s really not. The term was coined in 1994, but didn’t really become popular until Google implemented their zero-trust architecture “BeyondCorp” in 2009. Since then, the concept has gained traction, and most InfoSec professionals encounter the term constantly.

Zero trust is simply an approach to security which acknowledges the fact that computer systems are extremely complex, and security must be flexible in order to be effective. The basic concept is “never trust, always verify”, which dramatically reduces the risk associated with traditional perimeter-based strategies. Conceptually, it’s more an evolutionary development of existing concepts like “least privilege”, “layered defence”, and “segmentation” than a truly new entity.

That doesn’t make it easy, of course, and the implementation requires a significant change in mind-set which is taking years to spread. In 2020, US NIST (National Institute of Standards and Technology) published Zero Trust Architecture (NIST Special Publication 800-207), which describes several principles of zero trust:

“Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established. Zero trust is a response to enterprise network trends that include remote users, bring your own device (BYOD), and cloud-based assets that are not located within an enterprise-owned network boundary. Zero trust focuses on protecting resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer seen as the prime component to the security posture of the resource.”

So, zero trust requires a granular approach to security and least-privilege that is not dependent on defining “levels” or “tiers” of access.

Or, put a bit differently, walls don’t work.



bottom of page