[BreachExchange] Cyber security enters the age of No Trust

Fri Oct 14 15:33:36 EDT 2016

http://www.cbronline.com/news/cybersecurity/protection/
cyber-security-enters-age-no-trust/

The very successful digitisation trend over the past 20 years has produced
huge efficiencies in every type of corporation and government. But the dark
side is that the security industry has largely failed to evolve the
standard security architecture to keep pace with these broader changes in
IT.

The firewalled perimeter remains the primary defence in IT security. Yet
every major data breach in the pandemic of breaches taking place around the
world shows how simply firewalls can be bypassed. If a government worker
clicks on the wrong email and falls prey to a phishing attack, a hacker can
leapfrog the firewall and browse at will through the government agency’s
digitised records and applications.

The explosion of IT systems, networks, users, Clouds and devices has caused
the size of the typical enterprise’s attack surface to expand
exponentially. Any user or device can be the weakest link and become the
steppingstone to a major data breach.

Billions of dollars in venture capital over the past five years has been
poured into start-ups trying to improve IT security. Yet industry
statistics show that today the typical data breach still goes undetected
for months. That’s an eternity for malware and Advanced Persistent Threats
to be loose in your systems. And most of the largest vendors continue to
make a lot of money selling the same old security architecture, doing
nothing to truly fix the problem.

There are new security techniques that are proving to be effective and that
do not require the enterprise or agency to cut off Internet connectivity.
One such strategy is called the “Zero Trust” or “No Trust” model.

The old security architecture is built with the idea that you can use a
firewall to keep unauthorised people out of the enterprise systems. This
internal network is considered to be “trusted” and users who are
authenticated and given access are likewise assumed to be “trusted.” This
trust model is obsolete as every major data breach since the Target hack
has shown.

Instead, enterprises are starting to adopt a “No Trust” model that assumes
no network, user, device or application can ever be fully trusted. Instead,
you assume that the network is already compromised, that a user actually is
a hacker with stolen credentials, or that a device contains malware. With
that assumption, how do you design the IT security architecture to minimise
the damage?

IT security architects are deploying more sophisticated internal controls,
segmenting and isolating applications by enforcing stronger rules on who
should access them, even when the user is inside the network. Role-based
access control is one such technique, inspecting the internal network
traffic at various points and blocking attempts to access applications by
users who don’t meet certain rules. Another technique is to use strong
encryption to isolate internal applications so that if a hacker compromises
a network device, the hacker cannot access the application traffic flowing
through it.

But in addition to these better internal controls, the security industry as
a whole must focus on making security easier to deploy and easier to
manage. The typical security architecture is fragmented and splintered
across IT silos, with different tools, different access policies, and
different controls in the LAN, WAN, Internet, mobile network, Cloud, data
centre and elsewhere. This means setting up and managing consistent,
uniform security policies across all of these silos is extremely hard.

Until the security industry makes it easier for organisations to deploy a
simpler, more consistent security architecture, the gaps left by
fragmentation are going to remain the gateway for hackers to exploit. It is
only by changing the way the security architecture is viewed that positive
advances in the industry will really be seen.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161014/eda861e9/attachment.html>