The cybersecurity world is at a crossroads in its evolution. In the same way that concentric castles, with inner and outer walls, were built in response to advances in siege technology, a new approach is required for cybersecurity due to the evolving nature of today’s threats. This new approach should combine the existing tenets of “converged security” and “defense-in-depth” with the new tenets of “zero trust” and “adaptive perimeter”.
In recent years, traditional “perimeter-based” security models have been rendered less effective by two evolving forces: the increasing sophistication, frequency, and scale of cybercrime and the rapid adoption of new, disruptive IT technologies such as social, mobile and cloud. In addition, the next wave of emerging trends, such as the Internet of Things, wearables, and software defined networks are challenging and, in some cases, eroding the traditional perimeter model even further.
Perimeter-based strategies are now many years old and today’s cybercriminals can simply go straight to the end user, their devices and applications, to get their data.Taking just one example, the IoT opens up a whole new attack surface and set of vulnerabilities for hackers to exploit. Cyber risk scenarios include theft of sensitive data, introduction of malware, and ultimately “command and control”-style sabotage of connected, controllable devices. In addition, the threat intensity increases as IoT devices become more controllable and more autonomous.
In the latest Unisys Security Index, we found that nearly 60 percent of Americans surveyed say a security breach involving their personal or credit card data would make them less likely to do business at a bank or store they commonly use. (Disclosure: I am employed by Unisys.)
So, using the traditional castle analogy, what should you do to shore up your defenses if your castle walls are increasingly getting breached? What are the strategic choices? What kinds of new defenses and armaments are necessary?
To address this potential cybersecurity melt-down, CISOs are faced with three strategic options in terms of how to proceed with their cybersecurity strategies: maintain current course and speed while hoping for the best, pile on more of the same defenses, or change the paradigm with the addition of some totally new defenses. The third option appears to be the only logical alternative to address the challenge head-on and move towards a new and improved security model.
So what types of new approaches are required on top of existing defenses? In addition to traditional “converged security” and “defense-in-depth”, organizations must assume that cyber-criminals will penetrate their perimeter and prepare to protect their critical assets in several additional ways: a “zero-trust” approach and an “adaptive perimeter” approach are two key aspects. Ultimately, it’s the combination of these approaches all working in unison, not necessarily one particular approach, that will yield the most benefit in terms of risk management.
Zero trust approach
The zero trust approach has been advocated for several years now and is an approach to protect valuable data and assets from the inside-out. It’s basically a “trust no-one” approach where you assume the traditional security perimeter will be breached, including all your “defense-in-depth” layers of security, and you need to protect what’s inside. Of course, this approach is also required for insider threats as well.
Some of the key requirements for a zero-trust approach include providing advanced data protection to all critical data assets, both at-rest and in-motion. This may involve encryption, data cloaking, data masking, and other forms of sensitive data protection such as secure communities of interest. Another requirement includes preventing lateral movement of malware within the IT environment.
Using the traditional castle analogy, what you’re doing is providing additional fortifications inside the castle walls as well as hiding your valuable assets with a security by obscurity approach so that only those with a need to know have access and visibility.
Adaptive perimeter approach
There’s been much talk about adaptive point solutions such as identity and access management, but what’s really needed is a more holistic, adaptive perimeter approach to dynamically re-define and re-configure the perimeter around vulnerable new attack surfaces.
Some of the key requirements involve protecting “new” IT assets such as cloud infrastructure, mobile devices, and the Internet of Things (IoT). The goal is to reduce the attack surface to inhibit more sophisticated forms of cyber-attack. The secure communities of interest and application wrapping approaches are a couple of examples of how organizations can effectively protect these new assets.
Using the castle analogy, if the zero-trust approach is the new approach for protecting what’s inside the castle walls, the adaptive perimeter approach can be thought of as the new approach for protecting what’s on the outside of the castle walls. In essence, you’re building additional fortifications around your valuable assets that are currently undefended, or under-defended, on the outside.
Of course, the perimeter model is still a highly valuable asset in the security arsenal, and one of the primary defense strategies, much like a castle wall. Today, however, it needs to be complemented with approaches and tools that address the newer aspects of “zero trust” and “adaptive perimeter”. With these new defenses in place, your kingdom will be a lot safer in the years to come – both inside and out.
Nicholas D. Evans is the Chief Innovation Officer at WGI, a national design and professional services firm. He is the founder of Thinkers360, the world’s premier B2B thought leader and influencer marketplace as well as Innovators360.