This is the second part of a two-part series that explores the reasons behind the failure of security technologies to protect companies and their data from emerging threats in the age of cloud, connected devices and an ever-expanding threat surface.
It is time to stop following the next big network security trend and figure out what you have that the bad guys want. Where does it reside in your infrastructure, whether it is in your corporate network, data center or the cloud? How much do you have? What is your data worth on the dark web?
Most security leaders have identified most of their personally identifiable information (PII) using scanning tools for compliance auditors and for cyber risk insurance policies. They are also probably tired of everyone telling them that they need better patch management, which is a core tenant of every IT maturity model including ITIL and CoBit. The premise is that better patch management will reduce your attack surface and reduce your chances of being the next big headline.
Unfortunately, maintaining systems today is very difficult in practice. Infrastructure is now typically spread over a couple of different clouds, cloud-based services you may or may not control, a data center you may rent space in or in your office data center. Maintaining inventories of everything is difficult to begin with, but digital transformation is making it even more difficult.
The blind spot for many organizations has to do with their applications and databases. Now you are saying, “Wait just a minute—we test all of our applications and we encrypt all PII. We have database firewalls and everything to meet compliance and keep the bad guys out.” Here is the bad news: Compliance still does not equal tight security and the bad guys know how to sail right through your database firewalls and steal your encryption keys. Your CISO will probably agree that these things have not increased their average job tenure, which is usually about two years.
The Role of Application Development in Security
Application developers and database administrators (DBAs) have been working in silos very efficiently for many years. They develop amazing applications to meet the requirements of the business they support. Their primary concern is the user experience, and users are getting less and less patient with delays in getting results from applications.
The app developers and DBAs go off and develop the most efficient configuration possible within the boundaries set by compliance. In most companies, the security team is only allowed in after everything has been developed, and all they can do is provide firewalls and other host-based security technologies to protect the application.
This creates a major blind spot between your applications and your database. If users’ credentials are stolen and an attacker can access your application, they can do and see anything that the user was allowed to do in the application. Traditionally, the only way to find this anomalous behavior was after a breach had already occurred.
Technological means to protect sensitive data without updating applications or adding additional encryption, which is already slowing down response times, have been elusive.
In fact, application development has an even more significant role to play in the security of data. While the domain of DevOps has recognized the need to test and secure applications in the development process, developers themselves have long been familiar with conceptualizing data security hardened into a product. We see this as widespread with embedded systems in hardware that are made impervious to attack without relying on users to “do the right thing.”
However, developers and the companies they work for still think about security far too late in the process, after they’ve written the code. Far too many developers have been trained to write code without regard for what is considered the job of security and IT teams, who are handed the finished product and expected to engineer security around it with a mixture of outdated cybersecurity approaches from patches to intrusion detection, to complex access protocols and systems.
According to a GitLab survey of security professionals, nearly half say it is a struggle to get developers to give priority to remediation of threats, and 7 of 10 developers are expected to write secure code despite receiving inadequate guidance or assistance.
To resolve this problem, developers need the tools to not only understand the vulnerabilities in the apps and software they are building but also to place monitoring, governance and protection into the critical path between those who access information on a network and the information itself.
Toward a Different Mindset
Conceptualizing data security in different ways is providing answers that can elucidate both process and practice. The emphasis needs to move from a discursive examination of security and more to the real function of what we are trying to achieve. As the benefits of technology grow, the adoption of cloud, IoT, AI and other connected platforms are creating a securitization problem that cannot be solved by our traditional endpoint- and perimeter-based mindset.
More tenable solutions must continue to be developed that allow businesses to meet their obligation to protect their computing assets wherever they reside. Especially customer data, private information and records, which collectively represent perhaps the most vulnerable of all categories. Mitigating the risk to data, and the incumbent cost of attacks in terms of both disruption, loss and reputational damage, is crucial to our industry.