Where to (and not to) focus your security efforts
Data centres were largely company owned, as well as the servers, machines, and the software installed on them. We knew where everything was, who had access to our network, and we had pretty good control over access to applications and data. After all, it was all visible. The environment was reasonably contained and simpler to control. The threat landscape was different and not as diverse as it is today.
Today, the same cannot be said! Outsourced data centres are mostly not company owned but rather belong to a provider and reside in the cloud-something we cannot see but just know is there. Software and applications used are also in the cloud, on someone else’s servers. We can choose to rent services and space and decide whether to share services and space with others. Mobile devices-some company owned, others not (many unprotected), are being used anywhere and at any time to access these cloud based applications, services, systems, and data. Endpoints are ubiquitous and the once contained network is an occurrence of the past for most organisations.
The threat landscape has drastically expanded and changed over the last two decades. Moreover, our IT environments and the way in which we function has also transformed. Consequently, our security efforts should have followed suit. Many organisations have and are shifting their security focus, nonetheless others are still focusing efforts in the wrong areas. It is essential that we focus our efforts in the right places to achieve the best security posture for our efforts and prioritising security efforts where needed most is critical.
Shifting security focus away from the network
Yes, 20 years ago network/perimeter security was the focal point and if you were able to properly secure your perimeter you were likely to be on the road to security success. This approach will no longer suit, the traditional perimeter no longer exists or is very porous. That being said, many organisations continue to focus far too much of their efforts and security budget on network security (securing the disappearing perimeter!). This is being done at the expense of other areas, that should be prioritised and properly secured to be effective in today’s threat landscape.
We need to look at security differently. It is very difficult in this day and age to achieve complete security and to fully address all the threats and risks. Therefore, we must prioritise our security efforts according to where threats are currently prone to occur-if majority of incidences are caused within the application layer (this is often the case today) then this is where security efforts should be focused. The threats are vast but focusing on the critical ones for your organisation is key and doing it this way will ensure efforts and money are better spent. Application security and Identity and Access Management should (presently) be made priority.
Don’t ignore perimeter security but also be sure not to ignore other pertinent areas because of it-it’s important to get the balance right.
Decide what is essential for your organisation by identifying the most critical points of your organisation to safeguard. Then gain an understanding on the elements that pose the most risk and focus your efforts there. Securing these elements should be made a priority. By taking the time to do this you can be sure to focus your efforts in the right places.
Focus your security efforts in the right places…applications, applications, applications and not forgetting Identity and Access Management too!
Concentrating on fortifying the perimeter is where we should no longer be focusing our primary efforts, so let’s consider where we should be focusing our efforts (for now, at least) instead.
Application security as well as Identity and Access management should be the focal points for now. More and more breaches are occurring at the application level, if you are not focusing your efforts on securing applications but rather elsewhere (like the perimeter-where an anticipated majority of most organisations security budget goes!) you are at risk and vulnerable to attack.
Billions of mobile devices are being used globally to connect to applications residing anywhere and everywhere. This is shouting out vulnerability, if security is not properly addressed. Authentication and Identity and Access Management has never been more important with this many devices and applications in use.
Consider focusing your efforts on getting these right:
- Application security
- Identity and access Management
- Advanced firewall security
- Achieving visibility
- Ensuring your application security expertise in on hand and up-to-scratch
Getting the above fundamentals right is so important. Applications are now the point of entry to the most valued asset organisations hold-data (their own and that of their customers and clients). Breaches at application layer are becoming frequent and will only increase. We need to verify the identities of the users, wherever they may be, and be able to secure the applications no matter where they are located. Compromised identities is a common cause of security breaches. The network is a constituent of these two fundamental areas but should not become the focal point.
Properly vet the application in use, those onsite, offsite, in the cloud, employee apps-all apps should be tested and secure them, especially those that may place you at increased risk.
It is important to have a good understanding of the applications being used, how they function, what they are used for, when and by whom. with a good understanding any activity out of the ordinary or any unusual behaviours displayed is likely to not go unnoticed. The ability to achieve application visibility is a fundamental step to better secure them.
The importance of ensuring your organisation has application security expertise on hand cannot be emphasised enough. Many organisations are unaware of the extent of risk presented by applications and they rather focus on application functionality instead of the security that they can offer (This is a big mistake)! Applications are developed and made available at an exceptional rate but many fail basic security tests. Organisations assume that these applications are developed with security in mind and that by default they will be secure however majority will infringe on the organisations security policies and have no security assertion at all.
App developers can reach millions of users rapidly yet many of them do not have the experience, budget or incentive to undertake the necessary security testing to ensure that the software is safe to use. The applications enter the market with security flaws leaving the application and the organisations devices and networks compromised.
Thus it is essential that organisations have the expertise on hand to recognise the flaws and mitigate the damage. Tools for application security testing are also a worth considering so that the process can become somewhat automated.
Focus security efforts for largest impacts
Today, protecting the perimeter is a losing battle, yet majority of organisations still focus on achieving this. Successful defence is shifting from focusing on ‘keeping attackers out’ to assuming that ‘occasionally attackers will find a way in’ and we must be able to detect them quickly and ensure that potential damage is kept to a minimum. We need to safeguard against the potential damage resulting from any of the billions of individuals that have access to the internet and may have malicious intent.
To do this we need to concentrate efforts on protecting core assets and systems, secure throughout the lifecycle and focus on the current threat areas. Security focus should shift and will continue to shift, we cannot keep doing as we did decades ago and expect to be secure. Security focus must adapt with the times.
Networks/perimeter security should not be ignored but securing it should not be at the detriment of more relevant and critical areas. We must get the balance right and ensure focus is directed where the most impact can be realised, especially since many organisations do not have mature app security procedures in place.