Everyone is talking about digital transformation and the new normal of working from home, which has inarguably brought cybersecurity threats to a new level. With the boundaries of the network parameter all but disappearing, the risks of an attack are greater than ever. While remote workforces require considerable attention, it is equally important to remember that cyberattacks happen everywhere. In early January 2021, for example, one of the country’s largest wireless carriers was hacked when employees in its physical retail locations were scammed by individuals who brazenly downloaded software onto a store computer. After using employee credentials to gain access to the company’s customer relationship management system, a wide range of customer information was lifted, from PIN codes to credit card numbers.
Similar stories are becoming more commonplace, though hacking has been a major threat to enterprises and government agencies for decades. Few veterans of information technology will forget the notorious Mafiaboy hacks in 2000. With a series of distributed denial of service (DDoS) attacks, which bombard a site or application with so many requests that the server is unable to keep up, 15-year-old Michael Calce was able to shut down the websites of E*Trade, Dell, Amazon, CNN, and Yahoo. With everything heading toward digital, it’s not surprising to see this activity escalating, particularly as companies rush to accelerate time-to-value for customers and make their services more scalable and accessible. At the same time, the enterprise threat landscape has become increasingly dynamic, expansive, and fluid—making it harder for traditional security models and controls to defend against exploits.
Embedding Security By Design
While traditional approaches such as ring fencing will still be necessary, they are not enough for today’s enterprises. What’s central to prevention is embedding security by design. In other words, security must be integrated into software development, cloud infrastructure, and business systems holistically—starting first with a data strategy. No longer viewed as a byproduct of business processing, data is a critical asset that enables decision making. Therefore, a data strategy must do far more than address storage. It should start with identifying enterprise data assets, then establishing a common set of goals and objectives to ensure how it is safely stored, provisioned, processed, and governed—all of which are core to a zero-trust approach.
The zero-trust network, also known as the zero-trust architecture, was a model created in 2010 by Forrester Research analyst John Kindervag, who recognized that as data grows, so do the security threats for organizations across the board. Since then, the National Institutes of Standards and Technology (NIST) has developed a free cybersecurity framework that, similar to Kindervag’s model, helps organizations not only develop a shared understanding of cybersecurity risks but also reduce them with custom measures. Created in 2014 with input from private-sector and government experts, the framework (ratified as a NIST responsibility in the Cybersecurity Enhancement Act of 2014) was used by 30% of U.S. organizations in 2015 and was projected by Gartner to rise to 50% by 2020.
To make the most of this cybersecurity framework, it is recommended that organizations take a number of steps to classify data and know their core assets, align it with their regulatory requirements, enforce the principle of least privilege, define and layer controls to verify each point, and define how to observe incidents.
Whether it is a customer, partner, or employee, having the ability to identify end users in a way that is consistently reliable is one of the most fundamental controls for protecting an organization. Particularly for a growing company that is adding new users, this can become increasingly difficult to manage when compounded with the fact that most modern systems involve identities from multiple sources with different protocols, federated attributes, and identity mappings.
A Cloud-Specific Strategy
Since most data lives in the cloud now, it’s essential to have a cloud-specific data security strategy. This starts with data classification and takes into account all the elastic and agile access semantics. The next step is to take a careful look at an encryption strategy—at rest, in use, and in transit—and make sure it is understood how the keys are managed and refreshed. Last but not least, it is imperative to have a robust disaster recovery plan in place.
This cannot be overstated: The most effective cybersecurity strategy is one that is architected into an enterprise’s digital ecosystem and includes proactive (offensive security) and reactive (defensive security) measures.
Venturing into 2021 has been nothing short of perilous. But with a keen awareness of the threat landscape and a zero-trust architecture by design, organizations are less likely to become another statistic and far more likely to gain a competitive edge.