The cybersecurity world is at a crossroads in its evolution. In the same way that concentric castles, with inner and outer walls, were built in response to advances in siege technology, a new approach is required for cybersecurity due to the evolving nature of today’s threats. This new approach should combine the existing tenets of “converged security” and “defense-in-depth” with the new tenets of “zero trust” and “adaptive perimeter”.
In recent years, traditional “perimeter-based” security models have been rendered less effective by two evolving forces: the increasing sophistication, frequency, and scale of cybercrime and the rapid adoption of new, disruptive IT technologies such as social, mobile and cloud. In addition, the next wave of emerging trends, such as the Internet of Things, wearables, and software defined networks are challenging and, in some cases, eroding the traditional perimeter model even further.
Perimeter-based strategies are now many years old and today’s cybercriminals can simply go straight to the end user, their devices and applications, to get their data.Taking just one example, the IoT opens up a whole new attack surface and set of vulnerabilities for hackers to exploit. Cyber risk scenarios include theft of sensitive data, introduction of malware, and ultimately “command and control”-style sabotage of connected, controllable devices. In addition, the threat intensity increases as IoT devices become more controllable and more autonomous.
CISO challenges & considerations
The net effect is that today’s market forces and challenges are forcing many organizations to re-think their policies for sensitive data protection and their overall cybersecurity response in terms of future investments and operations. The issue is so severe that Gartner predicts that, if things stay the same, “by 2020, enterprises and governments will fail to protect 75% of sensitive data, and will declassify and grant broad/public access to it”. Of course, some of this may be due to data that’s incorrectly classified in the first place, but you get the general point.
In addition, consumers are becoming increasingly concerned about identity theft and data breeches. The recent retail point of sale malware incident compromised over 70 million identities and the biggest case of cyber fraud in the U.S., just last year, compromised 160 million credit cards with losses in excess of $300M. All in all, according to a sponsored survey by the Ponemon Group, the average annual cost of cybercrime per company has risen from $6.5M in 2010 to $11.6M in 2013.
In the latest Unisys Security Index, we found that nearly 60 percent of Americans surveyed say a security breach involving their personal or credit card data would make them less likely to do business at a bank or store they commonly use. (Disclosure: I am employed by Unisys.)
So, using the traditional castle analogy, what should you do to shore up your defenses if your castle walls are increasingly getting breached? What are the strategic choices? What kinds of new defenses and armaments are necessary?
To address this potential cybersecurity melt-down, CISOs are faced with three strategic options in terms of how to proceed with their cybersecurity strategies: maintain current course and speed while hoping for the best, pile on more of the same defenses, or change the paradigm with the addition of some totally new defenses. The third option appears to be the only logical alternative to address the challenge head-on and move towards a new and improved security model.
So what types of new approaches are required on top of existing defenses? In addition to traditional “converged security” and “defense-in-depth”, organizations must assume that cyber-criminals will penetrate their perimeter and prepare to protect their critical assets in several additional ways: a “zero-trust” approach and an “adaptive perimeter” approach are two key aspects. Ultimately, it’s the combination of these approaches all working in unison, not necessarily one particular approach, that will yield the most benefit in terms of risk management.
Zero trust approach
The zero trust approach has been advocated for several years now and is an approach to protect valuable data and assets from the inside-out. It’s basically a “trust no-one” approach where you assume the traditional security perimeter will be breached, including all your “defense-in-depth” layers of security, and you need to protect what’s inside. Of course, this approach is also required for insider threats as well.
Some of the key requirements for a zero-trust approach include providing advanced data protection to all critical data assets, both at-rest and in-motion. This may involve encryption, data cloaking, data masking, and other forms of sensitive data protection such as secure communities of interest. Another requirement includes preventing lateral movement of malware within the IT environment.
Using the traditional castle analogy, what you’re doing is providing additional fortifications inside the castle walls as well as hiding your valuable assets with a security by obscurity approach so that only those with a need to know have access and visibility.
Adaptive perimeter approach
There’s been much talk about adaptive point solutions such as identity and access management, but what’s really needed is a more holistic, adaptive perimeter approach to dynamically re-define and re-configure the perimeter around vulnerable new attack surfaces.
Some of the key requirements involve protecting “new” IT assets such as cloud infrastructure, mobile devices, and the Internet of Things (IoT). The goal is to reduce the attack surface to inhibit more sophisticated forms of cyber-attack. The secure communities of interest and application wrapping approaches are a couple of examples of how organizations can effectively protect these new assets.
Using the castle analogy, if the zero-trust approach is the new approach for protecting what’s inside the castle walls, the adaptive perimeter approach can be thought of as the new approach for protecting what’s on the outside of the castle walls. In essence, you’re building additional fortifications around your valuable assets that are currently undefended, or under-defended, on the outside.
Putting it all together
What’s needed is a totally new approach to cybersecurity that can enable the transformative benefits and use of new disruptive technologies without increasing the risk of sensitive data loss. This new approach should combine the existing tenets of “converged security” and “defense-in-depth” with the new tenets of “zero trust” and “adaptive perimeter”. To help unify this approach, a new cybersecurity framework and logical architecture is needed to secure the borderless enterprise.
An added advantage of an integrated approach to cybersecurity, combining these various tenets, is that you’ll be able to accelerate your path to digitization – meaning effective leverage of disruptive technologies to re-think and re-design your organization’s business models and processes. According to a report by the World Economic Forum, estimated delays in dealing with cybersecurity risks typically range anywhere from 2.6 months for social technologies, to 4.7 for mobile technologies, to 11.4 months for cloud. Getting a new, integrated approach in place will help you forge ahead with digital transformation initiatives, knowing that your assets are more secure.
As part of this new approach, it’s also important to re-evaluate the percentage of your IT security spend that’s going into each of these areas. Today, “80 percent of security spend is still going on firewalls, IDS and anti-virus solutions, despite only being effective against 30 percent of threats”.
Of course, the perimeter model is still a highly valuable asset in the security arsenal, and one of the primary defense strategies, much like a castle wall. Today, however, it needs to be complemented with approaches and tools that address the newer aspects of “zero trust” and “adaptive perimeter”. With these new defenses in place, your kingdom will be a lot safer in the years to come - both inside and out.
This article is published as part of the IDG Contributor Network. Want to Join?