A Delusive Sense of Security in Walled Gardens

Walled gardens provide a controlled environment that allows people to perform the applicable tasks while being fully or partially isolated from others. The services initially provided by America Online (AOL) formed the prototypical walled garden in the world of IT: AOL provided a worry-free interface for accessing content and interacting with other AOL users.

Walled garden environments are designed to make people comfortable, indirectly encouraging them to lower their guard. “It’s a crazy world out there, but in here, everything is orderly and safe,” is the unofficial mantra of walled gardens. However, the sense of security can be delusive.

Though the Internet is designed as an open network, its architecture encouraging collaboration and a free flow of information, it is filled with walled gardens. Though they might feel safe, they aren’t without risks:

  • Facebook is designed to motivate people to stay within its environment as much as possible as they exchange text messages, post pictures, share links, etc. When on Facebook, people are in the frame of mind that encourages spreading information and clicking on links. Scammers take advantage of this, designing malware that spreads on Facebook. The popular Profile Spy scam even mimics the Facebook interface when the victim is taken to a third-party website, in the hopes that the person will be more likely to reveal information to the scammer.
  • Mobile phones have historically provided a user experience that was tightly controlled by the carriers, which decided which apps can be installed and what they could do. The carriers are losing such control on smartphone platforms such as the iPhone and Android. The Android has seen its share of trojan apps this year because that phone environment feels like a walled garden, but it really isn’t. Apple has been doing better in part because applies more scrutiny when approving iOS apps, but it’s still limited in its ability to find malicious logic in a well-crafted malicious apps.
  • Corporate networks typically implement various security controls to protect the organization’s IT infrastructure, applications and data. When employees access the Internet from the corporate network, they might feel protected and could act more recklessly than they would in a public environment such as the Internet cafe. Unfortunately, corporate security measures are far from perfect, and aren’t a substitute for vigilance during people’s computer interactions.

Another example of the risks in walled gardens is from the physical, rather than virtual world. There is a scam in Florida hotels and resorts that involves distributing fake menu flyers to the guests. The guests call the phone number to order food and willingly provide the scammer with their credit card details. It’s not surprising that this scam works well in a place such as Disney World, which is the ultimate example of a world garden that encourages people to lower their guard.

As we interact with people and data in walled gardens, let’s remember to remain vigilant despite the feeling of comfort created by the applications and services we have come to rely on. This might be a point worth including as part of the security awareness program, if you are in the position to influence the content that is incorporated into it.

Lenny Zeltser


About the Author

Lenny Zeltser develops products and programs that use security to achieve business results. He is the CISO at Axonius and Faculty Fellow at SANS Institute. Lenny has been leading efforts to establish resilient security practices and solve hard security problems for over two decades. A respected author and practitioner, he has been advancing tradecraft and contributing to the community. His insights build upon real-world experience, a Computer Science degree from the University of Pennsylvania, and an MBA degree from MIT Sloan.

Learn more