A new year is the time for lots of pledges of how things will be done differently: new targets to meet, processes to drive forward and the chance to make positive changes.
It’s not surprising that the information and cyber security industries aren’t exempt from this, as it’s no secret that both industries faced more than a few challenges last year. First came the build-up and introduction of the General Data Protection Regulation (GDPR) in May 2018, putting severe fines in place for any future data breaches. Then there was the challenging political and economic climate, the scare of being the next victim of a high-profile data breach and the rise of new technology such as Artificial Intelligence (AI) and machine learning to contend with. All in all, it wasn’t an easy year.
However, the volume of data breaches alone is not the shocking factor, and should no longer be the focus for any CISO looking to make a difference to their organisation’s cyber security strategy. The difference now is the size and scale of the data breaches and the nature of the sensitive and critical data stolen; hackers have moved on from email addresses to instead seek out passport numbers and CVV data from credit cards, and are able to spend far longer strolling around an organisation’s network without being detected. Take the Marriott International data breach from November 2018 as an example; hackers had been able to access the network for four years with no unusual activity detected or any alerts raised. It has since been revealed approximately 5.25 million unique unencrypted passport numbers were part of the vast volume of data stolen.
Supporting IT evolution
Networks can quickly become a web of users, devices and applications, all requiring different access controls and requirements to keep the data safe. In line with this, organisations have evolved beyond perimeter-only security models to increasingly lock down data – both at rest and in motion. A fundamental part of this is encryption, but to be effective, encryption must enhance, not constrain IT evolution.
However, embedding cyber security solutions into an organisation’s network creates a number of challenges in itself: higher complexity, scalability becoming a real headache and key management and key rotation becoming almost impossible across large estates. What’s more, as organisations have layered technology on top of technology, the technology stack itself has become complex and huge amounts of resources and operational overhead are needed to manage it. In today’s digital world where flexibility and business agility should be at the top of the agenda, having an unresponsive security solution tied to the network is just not an option; it creates a static environment, uninviting of innovation and new technology.
Introducing Information Assurance
Encryption needs to be deployed as a function within an Information Assurance (IA) security overlay, on top of an organisation’s existing network and independent of the underlying transport infrastructure. This makes the network itself irrelevant, with emphasis instead placed on applications and IA posture.
This approach also has economic and commercial benefits. Taking security intelligence out of the network allows it to focus on its core task: managing and forwarding traffic. With routers and switches no longer needing large security feature sets, organisations can save money and resource and invest this in a true IA security posture with data protection at its core.
Additionally, by introducing a software-defined approach to data security ensures the data is protected in its entirety – regardless of whatever network or transport it goes across. The approach enables a centralised orchestration of IA policy and centrally enforces capabilities such as software-defined application segmentation using cryptography, key management and rotation. Segmentation brings further benefits through its ability to block lateral movement once an attacker has breached the perimeter defences.
It’s no secret that key changes to security strategies throughout 2018 could have prevented or reduced the impact of numerous high-profile data breaches, and it all comes down to a change in mindset. Rather than thinking of network security, the emphasis instead needs to be placed on data security and IA, with security deployed as a network overlay. So, as the new year begins to get into full swing, now is the time to make changes and see what the benefits will be.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.