The problem with the future—as baseball legend Yogi Berra, the founders of the Internet, and any CISO or CTO can assure you—is that, increasingly, it ain’t what it used to be.
For those of us in the field of cybersecurity, where the utopian dreams of the early Internet collide with the realities of increasingly serious levels of crime and threat, the future can at times look especially treacherous. As public and private organizations alike scramble to remain ahead of those who would compromise their information, one thing is certain: You can’t prevent tomorrow’s attacks with yesterday’s security strategy and technologies.
It seems common sense, but in the increasingly complex labyrinth of connectivity that is intensified by wireless, mobility, and multi-cloud networks, it is easy to get spun in different directions. This is no indictment of cybersecurity decision makers, either. You don’t have to be very slow at all to quickly fall behind.
Regardless of intent, organizations that are using dated security practices are at risk of becoming ‘trophy compromises’ by criminals and nation-states every day. At the same time, more and more security leaders have come to accept a specific reality to being connected to the Internet: No matter what you do, chances are, you will be compromised.
There is a silver lining though. Those four simple words - you will be compromised - have a powerful way of inspiring a strategic pivot to a security strategy much more in line with today’s demands. If we begin with some degree of compromise as a given, it forces us to stop over-optimizing time, resources and efforts on the impossible of perfection—at great cost and much less security. Instead, we intuitively begin asking the key question to effective security strategy.
If our systems are bound to be breached, how can we design them to limit the breadth, depth, severity and scope of the damage?
If we ignore this critical question and build strategy around its sound answer, we fall into two painful traps: The fool’s errand of trying to prevent all compromise, or a state of denial that deludes many into thinking that it won’t happen to them.
Business leaders can abandon these mindsets of their own accord now, or they can wait for an attack to force them to discard them. Both, though, are nimbly avoided with the kind of consequence-based engineering that designs systems and networks with inherent protections and failsafes that limit the potential severity of an attack. This approach also makes an organization a much less desirable target for threat actors and creates the greater levels of network dexterity that can drive significant business opportunities.
There are two key best practices that reflect and reap the benefits of this approach to cybersecurity: Segmentation and Access Control.
Segmentation flows from the simple understanding that the network boundary, as we’ve known it for the Internet’s first 40 years, is on its deathbed. The strategy of as recently as a decade ago—to build a really high wall around our digital infrastructures and defend it like Monty Python’s belligerent French knights—was quickly decimated by proliferation of mobile devices (remember all those BYOD op-eds we used to read?), and more so by use of the cloud, and the intricacies of the Internet of Things.
The solution is Segmentation: Rather than one wall around everything, segmentation allows separate but aligned macro and micro-segments throughout the network. It is a far more effective security strategy that assumes inevitable attack while making great strides in minimizing access to sensitive, proprietary and mission critical data when the attack occurs. Even if an organization’s first line of defense is breached, there are limitations to the volume/value to snatch once inside.
And segmentation now has an offshoot—Agile Segmentation—that may allow security professionals to finally achieve the nirvana we have sought for so long. Namely, security valued as a business enabler, allowing an organization to do things, such as form a business-to-business data sharing coalition, that they would never have dreamed feasible without agile micro and micro segmentation techniques.
With a cybersecurity strategy that focuses on network segments rather than perimeters, organizations are then able to add another powerful best practice: Access Control. Unfortunately, the complexities of granular Access Control make it a practice that is often poorly implemented.
Without Access Control, managers and C-suite leaders historically had little choice when someone needed access to data. The answer was either no or yes—which granted them access not only to the information they needed for their task at hand, but also some of the most sensitive and important information in an organization’s network.
Segmentation and Access Control can now be aligned and deployed to not only protect this information, but also drive much greater teamwork. Mobile users or remote employees can be allowed to utilize some datasets but not others, or at certain times and not others. But across the network, managers can also designate internal teams with different points of access to come together to leverage their knowledge and expertise of this data to create stronger business results through collaboration.
When a project or initiative is complete, the permissions can be changed. If a breach occurs, it is much easier to protect a smaller data footprint, and to then limit the areas and scope of the investigation, minimizing suspicion and wasted resources. All of which protects innocent employees, while also improving security.
Like all effective strategy, the principles of Segmentation and Access Control augment and work in alignment with today’s technology, rather than fight against it. Importantly, smart use of the cloud is critically dependent on state-of-the-art firewall techniques for exactly this type of activity—for users to pop up a data set and take it down just as easily.
This means that even organizations that have been lagging behind on security best practices can quickly harness the flow of today’s best technologies. Rather than fighting against them—or worse, allowing innovations to make them less secure rather than more—they stand to benefit from them, often in more ways than just significantly improved cyber security.
In my experience, agile micro and macro segmentation is a hallmark of sound security solutions: It creates a halo of opportunity across the business by savvy deployment of data and data protection alike. With a slight pivot in perspective and strategy, organizations will not have to live with near the levels of stress of knowing that, at any moment, they will be forced to fight to defend their most valuable resources. Because they will have accounted for tomorrow’s attack long before it occurs—and will have already engineered-out the worst bad consequences with savvy and effective network segmentation.
This byline originally appeared in CSO.
For more information, download our paper and learn about the top threats that enterprise security leaders are being forced to address and the security approaches to evaluate to protect against them.