Following the news that the US Department of Defence has suffered a data leak, Dan Panesar, VP EMEA at Certes Networks commented below.
Dan Panesar, VP EMEA at Certes Networks:
“The latest US Department of Defence ‘Red Disk’ data security leak is yet another indicator of how current cyber security thinking is entirely out of sync with the broader changes in IT that have taken place over the last 20 years. The explosion of IT systems, networks, users, Clouds and devices has caused the size of the typical enterprise’s attack surface to expand exponentially. Any user or device can be the weakest link and become the steppingstone to a major data breach.
Fundamentally, managing security can no longer be about managing devices, applications and networks. It must instead be focused on understanding and rethinking trust, or – more importantly – quickly understanding that trust of networks, users or infrastructure is no longer a viable option.
This is achieved by adopting a Zero Trust security posture, taking away the assumption that everything – and everyone – in the network can be trusted. Underpinned by role-based access control, which builds on existing policies for user access and identity management, it means an individual can only access the applications and data needed to carry out their role and minimises the risk of damage, should a user’s credentials become compromised. Moreover, when access is granted, the application traffic is protected by cryptography, which is the segmentation that prevents it from being accessed by the non-permitted users.
In addition to these better internal controls, though, the security industry as a whole must focus on making security easier to deploy and easier to manage. As this latest leak highlights, the typical security architecture is fragmented and splintered across IT silos, with different tools, different access policies, and different controls in the LAN, WAN, Internet, mobile network, Cloud, data centre and elsewhere. This means setting up and managing consistent, uniform security policies across all of these silos is extremely hard.
Until the security industry makes it easier for organisations to deploy a simpler, more consistent security architecture, the gaps left by fragmentation are going to remain the gateway for hackers to exploit.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.