Why it's vital to address cybersecurity in the wider context of the business [Q&A]
It's easy to pigeonhole cybersecurity as something for the IT or security team to look after. But a major cyberattack can have a devastating impact on the business as a whole.
It's important, therefore, that security be looked at in the context of the entire enterprise. This also means considering approaches like 'assumed breach' where you accept that sooner or later attackers will succeed in getting into your network.
We spoke to Raghu Nandakumara at Illumio. to find out more about this shift in mindset and how it can be applied.
BN: What have recent high-profile attacks told us about cyber security?
RN: You've had attacks like SolarWinds, which is impactful from an enterprise perspective, and like Colonial Pipeline which clearly have consumer impact. All of these kind of organizations would have invested significantly in detection and response capabilities. This is not in any way belittling the importance of detection and response to security capability. However, it is very reactive to a threat, you're hoping that you're able to detect what the attacker is attempting to do at various stages of the attack, and you're hoping that you ultimately have adequate response capabilities that allow you to then take action quick enough in order to limit the impact.
The history of recent attacks has shown us that ability to respond is often too little, too late. You might be talking about tens of days before we're actually able to detect the attacker and that's often too late for any type of response. As good as defenses are the fact is that attackers will find a way in because they can keep trying and they just need to be right once.
Given that we accept that the attacker will at some point be successful in that initial landing within the target, it's really about making it as difficult as possible for the rest of the attack to continue. That really is what the assumed breach mindset is about. Should they get in, you want to be able to contain that as much as possible. We want to use least privilege and we want to put in place controls that limit the ability to move laterally, such that the speed of spread of ransomware, for example, is reduced.
BN: So this ties in with the current trend towards zero trust?
RN: Yes, absolutely because really what we're talking about is in terms assumed breach, and building stronger controls necessarily we’re talking about zero trust just in different words. Because better controls means less implicit privileges and moving towards more explicit, more clearly defined privileges. So any asset only has the required amount of access they have to another resource or network, or workload, and that is very much what zero trust is.
BN: Does implementing this require a greater drive from the top of the business?
RN: Yes, if we want to adopt more zero trust security principles then how we build our security controls is a very top level mandate. But then that needs to translate into the implementation, whether it's at the business unit level, or whether it's at the application level. Ultimately, from the board's perspective it is about reduction of business risk. So the communication shouldn't be, "We're taking the zero trust approach," rather that "We're taking significant steps in order to reduce the business risk." And yes, having that mandate from board level is an important part of getting this program off the ground.
BN: Do we also need a culture change to ensure that teams further down the business, like operations and developers, are adopting the same approach?
RN: In order for this to be effective, the granular controls will increase and there will be an impact on applications and on business teams if those controls are not executed in the right way. It's a cliché that security is typically the organization that gets in the way of progress and agility. Whereas from the development side it's about increased velocity, about how they can get new technology capabilities to market, or they can release new features.
It's important to incorporate these controls as part of transformation efforts so that it's not something that they're trying to bolt on later, but really they are incorporating those into their new architectures, so that so that it doesn't feel like security is hampering them.
BN: Will this also need to involve the supply chain, cloud partners and so on?
RN: From a cloud provider perspective, if you look at what the various cloud providers are offering in terms of how their own capabilities are set up, zero trust approaches are kind of baked into how those services are built. So for example if you're taking AWS as an example, you very much have to grant permissions to a role, or to a user, you have to explicitly grant permissions. If you're just standing up, let's say, a compute instance, unless you specifically define what resource can access it, then there is no access into it, except the one that you explicitly grant.
So, the cloud service provider actually built a set of services that, if you're following best practice, you're essentially taking a zero trust approach from the get go. However, what happens is that often, because it's perceived to get in the way of moving forward quickly we often take a much more lax approach, so we often grant more permissions than we should, because it's easy. Really it's education and more emphasis on following best practices, such that those services are consumed in a secure manner from the start because they already lend themselves to that.
Imaged Credit: soliman design / Shutterstock