From the ground up: Constructing a solid framework for modern enterprise security
When a contractor looks at an existing home to determine if it's worth rebuilding, one of the most common factors is whether "it has good bones," meaning the structure is fundamentally sound. When you look at the security of your enterprise infrastructure, can you say the same thing?
With enterprise security, it’s a brave new world. Gone are the days when you could put firewalls around a data center’s perimeter and be confident you were protecting all your company’s critical assets. In today's highly connected mobile world, data can reside anywhere, from the data center to people’s mobile devices, from the cloud to sensors on the edge. To succeed in protecting the organization requires a more holistic and pragmatic approach that looks at people, process, and technology through the new lens of a constantly evolving threat landscape.
In short, it means building security in from the start rather than bolting it on afterward.
We've heard this mantra for years, but what does it mean in practice? Here’s what some of the experts say.
The problem scope
Let’s start by looking at the scope of the problem. “When I started in cybersecurity 20 years ago, only a few people had modems at home and laptops were relatively few and far between," says Ben Banks, European security director for Ensono, a provider of hybrid IT services and governance. "Now, almost everyone either has a hugely powerful computer in their pocket or a laptop and is able to communicate with the world very easily. That, unfortunately, makes enterprises quite a target-rich environment for the threat agents that are out there.”
With vital data and resources residing not only inside corporate perimeters but also in the cloud, as well as on mobile and IoT devices, exploits have multiplied. New types of attacks constantly develop, including ransomware, supply chain attacks, social engineering exploits, and more. Threats occur on a daily basis, launched by increasingly sophisticated adversaries including nation states and cybercriminals.
While there may be disagreement on the actual cost of cybercrime—one report puts the hit at roughly $600 million in 2017 and others forecast potentially billions of dollars in future losses—there is little argument that it is significant and the impact can be detrimental. “Similar to financial and reputational risks, cybersecurity risk affects a company’s bottom line. It can drive up costs and affect revenue. It can harm an organization’s ability to innovate and to gain and maintain customers,” warns the U.S. National Institute of Standards and Technology in a white paper titled "Framework for Improving Critical Infrastructure Cybersecurity."
Building security into the core of the enterprise
All this means that a truly effective approach to security requires that security can be neither an afterthought or an add-on. Security should be built directly into the core of the enterprise, says Seth Robinson, senior director of technology analysis at CompTIA, a nonprofit technology trade association.
“A modern security approach goes beyond thinking of security as only a technology problem,” says Robinson. Instead, he says, building security into the core of enterprise computing requires a three-pronged approach: protecting a company’s technology, protecting its processes, and educating employees in cybersecurity.
To protect technology, Robinson says, “the toolbox has to expand beyond firewalls and antivirus to things like data loss prevention, identity access management, and security incident event monitoring.”
As for processes, Robinson says this requires examining employee and corporate workflows, how employees interact with suppliers and contractors, as well as risk analysis and compliance management.
Doing so requires a collaborative effort among different departments. “This is where we see the general trend of IT and lines of business needing to talk more to each other,” Robinson says. “The security team needs to have discussions with lines of business and understand what they're doing, why they're doing it, and what some of the business reasons for doing it might be. Then IT can bring their security expertise to the table and say, 'Here are the places where there's a security risk or vulnerability.' What needs to be done has to be a collective decision made by different parts of the organization so that the whole organization is establishing its appetite for security and determining the balance between convenience, security, and privacy.”
Also important in this effort is that companies make sure their suppliers follow security practices and even write security requirements into contracts. Supply chain security is often neglected but can be a significant risk, as corporate buyers are dependent on the security of their chosen vendors, as well as the product delivered by those vendors.
The third prong of building security into the core of an enterprise—educating employees—is critical, Robinson says. Every employee in an enterprise is a potential security risk, meaning organizations must go beyond teaching the basics about antivirus software and encompass modern risks like protecting against spear phishing.
“Some companies are experimenting with ongoing education,” Robinson adds. “That means constantly sending out alerts and information such as how to protect against the latest social media hack or highlighting a recent major data breach and offering advice on how employees can help protect against them."
Incorporate security into the development process and IoT
One area where security is rarely baked in from the beginning is the software development process. Typically, companies consider security only toward the end of the development cycle, essentially fastening it on afterward. But Grant Kirkwood, CTO of Unitas Global, a provider of enterprise cloud solutions, says that’s a serious problem and must change.
“Software should be built with security in mind at every layer of a software stack,” Kirkwood says. “That doesn’t happen much today, though. It used to be that you would build an application, and you’d have a back end, database, and middleware, and they would all be considered inside a protected moat. The part that faced users was the part that was considered untrusted—the DMZ, in firewall terminology.
“But now all the layers of the application stack should be built to be inherently secure, independently of where they live, because each of those layers is no longer in that kind of walled, guarded environment," he says. "Security needs to be built directly in every layer. The whole mentality has shifted. There are still the holdouts out there that think they could build a moat. But that leads to things like major data breaches.”
Kirkwood also notes that another gaping hole where security often isn’t incorporated into enterprise assets from the ground up is with IoT. “What we now call IoT used to be called embedded systems,” he says. “And it used to be that your embedded systems, your controllers and sensors and things like that, were not network-connected, let alone Internet-connected. And so you didn't have the security concerns with them that you'd have with a mobile phone or something where you push updates over the air.
“That’s changed, though," Kirkwood adds. "Every single IoT device or sensor is an endpoint on the network that you can use to get on the Internet. And so, if those things aren't built with security in mind from the ground up, you are just exponentially multiplying the number of potential vulnerabilities.”
Metrics, metrics, and more metrics
It can be easy for companies to pay lip service to the notion of building security into the core of the enterprise but then not do much about it. To counter that, CompTIA’s Robinson recommends that companies develop a series of metrics to measure their progress toward and compliance with security objectives.
For example, one metric might cover whether all agreements with external parties have been reviewed for security language, he says. Another might cover the percentage of systems that have undergone formal risk assessments, and yet another might measure the percentage of network traffic that has been analyzed for anomalous behavior. Education training can also be measured, for example, by calculating the percentage of the workforce that clicked on a fake phishing email the IT team sent out after employees were trained to recognize such attacks.
Using security metrics is one area where companies fall short right now, Robinson notes. A CompTIA report, "2018 Trends in Cybersecurity," found that “only 21 percent of companies say that they heavily use metrics as part of their security efforts.” And while you would think that larger enterprises would be more inclined to make use of this available information, according to the report, only 26 percent of large enterprises are doing so. It's midsize companies that are most likely to make use of security metrics as part of their overall security planning.
The bottom line
Everyone interviewed for this article agreed that enterprise security needs to shift in another way as well: from a reactive approach to a proactive one. Companies can no longer afford to create passive protections and rely on after-the-fact mitigation. They need to shift to being truly intelligence-driven and proactive. That includes applying AI and machine learning to security to more effectively detect threats and react quickly to them. They need to understand that a solid security model starts outside of their own environment, not when products and services they have acquired are deployed within.
This directly applies to every organization's enterprise security model. The security of every product, both hardware and software, incorporated into your enterprise needs to be a top-level concern. It takes only a single poorly thought-out security approach by one of your software or hardware vendors to compromise your enterprise security. The growing prevalence of IoT devices, for example, within and connected to your enterprise increases the potential for a security breach exponentially. If steps haven't been taken yet to mitigate these potential issues, you need to do so now.
Robinson estimates that about half of companies recognize they need to take a new, holistic security approach and build security directly into their cores. Those organizations, he says, are primarily companies that have undergone cloud migrations and recognize that perimeter-only defenses won’t protect against the latest threats. But he also says most companies will eventually have to take the approach of building security in from the ground up.
“It’s the only way to stay secure today,” Robinson concludes. “So eventually everyone will have to do it.”
Security from the ground up: Lessons for leaders
- Considering security as something that can just be added in is a mistake.
- Supply chain security means making your vendors your partners in a complete security model.
- Analytics and metrics can give you an edge in the ongoing security battle.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.