Security from edge to cloud: Balancing innovation & security in a shifting threat landscape
JUNE 19, 2019 • BLOG POST • LIZ JOYCE, HPE CHIEF INFORMATION SECURITY OFFICER
IN THIS ARTICLE
- While digital transformation has brought enterprises agility, it’s also complicated cybersecurity with new technologies creating new vulnerabilities
- Data is the new currency in today’s digital economy, but this is also true for hackers who seek to steal data with increasing scale, sophistication and speed
- Cybersecurity teams need to shift from perimeter defense to defense-in-depth, fortifying the enterprise with concentric layers of defense
- Security needs to be built-in, not bolt-on – stemming from firmware to hardware, edge to cloud to ensure rock-solid protection at the core
In today's evolving threat landscape, security must adapt to protect data - and innovation - from edge to cloud
Everyday, we’re bombarded with headlines of cyberattacks, and as a battle-hardened security practitioner, I’ve become somewhat immune to the shock value of it all. But last year, a particularly unusual breach of a Las Vegas casino sweeping the news caught me by surprise. The entry point for this attack? A fish tank.
Via hacking an internet-connected fish tank (designed to regulate water temperature), cybercriminals found a vulnerability in the tank’s thermometer, cracked open a backdoor into the network, and stole the casino’s database of high-rollers – filtering it out through the thermostat to a remote server in Finland. Now, I’ve seen radical changes over my past 20 years in cybersecurity, but if you had told me 10, maybe even five years ago, that we’d be seeing critical financial data exfiltrated through a fish tank, I’d have said you were nuts. But as bizarre as it is, it’s a frightening reminder of the dangers of today’s hyperconnected world – one experiencing exploding volumes of mobile and Internet of Things (IoT) devices and data.
Here at Discover Las Vegas this week (hopefully sans faulty fish tanks), my colleagues across HPE have unveiled a slew of exciting innovations across hybrid cloud, intelligent edge and more – ones that promise to deliver new agility and competitive advantage in this connected economy. But as tempting as it is to get swept up in the tides of innovation, it’s important that technologists and business leaders alike remember that new technologies also create new risk. Let’s delve into how cybersecurity is changing amidst all this digital transformation—and how enterprises can adapt.
From Edge to Cloud: A Multiplying Attack Surface
Here at HPE, we talk a lot about this new edge-to-cloud reality, and the innovation enabled through it, but another reality: edge-to-cloud has significantly complicated cybersecurity. Let’s start with the edge.
Today, we’re hooking up things we never would have imagined to the internet—from phones to refrigerators to oil rigs to medical devices—but while the IoT enables a new level of automation and intelligence, smart things also create vulnerabilities that even smarter hackers can use as weapons. The reality is that each new device may be another backdoor for bad actors, just as each new cloud, each new data center, each employee expands the attack surface.
Sometimes this is because of poor device security, but very often, it’s the hyperconnected nature of our digital ecosystem that spawns these gaps, particularly with the rise of the IoT and Bring Your Own Device (BYOD). Take the case of the casino: who would’ve guessed that a fish tank’s thermometer would allow hackers to get into a casino’s files? Because of the sheer volume of devices, connections, clouds and places where data is stored, it’s hard to map the interplay between these things, but this extreme connectivity means that once a hacker gains one foothold, it’s easy to rapidly traverse up, out and across the network. And with hospitals and factories becoming more connected, this cyber risk can translate into very real physical risk for humans.
Say a factory contractor takes a tablet he uses to log projects, connects to a hotspot at a coffee shop, and has his corporate credentials stolen by lurking bad actors…who have broken into the network through outdated firmware in the store’s smart speakers. Just like that, hackers may now have access to the network and applications that control and monitor assembly line machines—enough to commandeer them, trigger a malfunction and endanger worker lives.
And then there’s the data sitting at the edge. According to Gartner, by 2025, 75 percent of enterprise-generated data will be generated and processed outside of traditional data centers or the cloud, instead it will be at the edge—the point where sensors, devices and people interact. But that can also be dangerous, particularly with sensitive data (medical, financial, legal, you name it) roaming outside the confines of the data center, in pockets or autonomous cars—or even wandering into the home with employees. And with security controls being lighter at the edge (or even bare bones in cheaply manufactured IoT devices) as compared to traditional devices like servers and laptops, that puts enterprise data at incredible risk.
Then there’s the cloud. The public cloud has delivered agility for enterprises, but with this comes a lack of control—and a certain amount of unknown. If knowledge is power, then it’s also true: lack of knowledge means lack of power, which equals risk. All it takes is one oversight on the other end. It’s not just public cloud. With any hybrid IT strategy, you’re bridging different technologies, or in digital transformation, legacy and new infrastructure—with data flowing between the two. If the path between the two is compromised, you’ve now contaminated the brave new world your IT team has built.
Tear Down This Perimeter
So what’s a security practitioner to do about all this? And for IT, does that mean you should reject the new? It’s not so black and white, nor is it all doom and gloom—it’s a matter of carefully taking stock of the threat landscape, your IT assets, and evolving. Here are some key tenets enterprises should keep in mind to protect themselves, while still embracing innovation:
- Visibility, visibility, visibility: Yes, it’s a daunting task to secure so much from edge to cloud but in all of this, visibility is key. At the edge, you need to be able to see everything on your network, even BYOD devices. Case in point: earlier this year, we implemented Aruba ClearPass for network visibility in our newly minted headquarters, expecting a ratio of 1-2 devices per person…imagine our shock when we discovered 4-5 devices per person! While surprising, this underscores the importance of visibility: You can’t protect what you can’t see. By gaining visibility, we were able to enforce tailored security and access based on roles (contractor, guest, employee). This is equally as important when it comes to the cloud. Since you don’t have the same level of control in the cloud as on-premises, it’s crucial to complement that with clarity and context down to a deep technical level.
What are their security controls? If your data is compromised and locked in the cloud, is a separate backup part of your contract or no? If an incident occurs, how do they respond, and who do you contact? These are all critical questions—because where your provider is not managing, you need to fill in those gaps. Lastly, once you have that insight, you need to make thoughtful decisions with IT about what should and shouldn’t be stored in the cloud. Cloud providers often become scapegoats when breaches strike, but the truth is, responsibility also sits with the user. The cloud might be the right solution for certain data, not for others. Pending patents? No. Medical records? Nope.
- Defense-in-depth: When I first started out in cyber, we were content to take all of our critical assets, stick them in a data center, and throw up a firewall. But with all this data being scattered across on- and off-premises, public and private clouds, data centers and the edge, threat vectors are multiplying and the enterprise perimeter is blurring. In fact, it’s safe to say that today, the perimeter no longer exists. And that means walls don’t work anymore. Enter defense-in-depth: rather than relying on perimeter defense, it’s the idea of fortifying your enterprise with concentric layers—so that if adversaries make it past one, there’s another to deter them. These can include firewalls, network intrusion detection, antivirus software, authentication, behavioral analysis, application barriers and access controls. And now, it can mean securing horizontally—edge to core to cloud—to vertically—firmware to software to hardware. Because these days with mounting speed, scale and sophistication of threats, it’s not a matter of if you’ll be breached, but when. And so that means ensuring airtight defense at every layer of your stack.
Another way to think about this is the model of zero trust: a base assumption of zero trust for anyone or thing. Rather than allowing traffic through by default, access is not granted until identities, software and data are authenticated, validated and encrypted–even for insiders already in your network. As bothersome as employees might find these checks, the reality is that the bad guys may already be inside and today, clever social engineering can deceive even the savviest employees. So only by assuming the very worst, can cyber teams ensure the very best.
- Built-in, not bolt-on: Too often, security has been viewed as the last step of IT, but we need to transform cybersecurity from an afterthought into an enterprise mindset. This means embedding it into services and products from the get-go (and even their development processes). Especially with data processing at the edge (and firmware/hardware attacks), ensuring rock-solid security mechanisms at the very root of devices themselves is critical. But for enterprises, this also means a cultural shift. Security gets a bad rap for being the “party pooper” putting a damper on innovation, but often this is because we are brought into the conversation too late. By being brought in early on, security can first understand business and IT goals, adapt and compromise. After all, we wouldn’t be here without the business, and so we should enable the business. That doesn’t mean compromising on everything—some risk is absolutely non-negotiable. On the flip side, the business needs to tell security what data is critical and where it’s stored—after all, what is the point of innovation if your intellectual property can be swiped in seconds?
- Intelligence is your best weapon (and your hacker’s too): I can’t stress enough how crucial 360° real-time threat intelligence is in the fight against cybercriminals. That’s why my teams are doing important work to turn our legacy, reactive security operations into proactive, intelligence-driven cyber defense. As part of this, we’re gathering, fusing and streamlining data and intel from across operations, risk and compliance, network security, engineering, data science, machine learning, and even beyond security—all functions that have historically been siloed. Aggregating these insights allows us to have a more comprehensive view of threats and stay one step ahead of adversaries. For example: if you can see an employee just badged in in Asia, but logged on in the U.S.—that just might be the tipoff you need to close off access—physically or digitally—and stop a suspicious actor before they wreak havoc. But beyond breaking down siloes within the enterprise, this also needs to be done across the public and private sector, enterprise and enterprise, domestically and globally. Progress has been made, but more can be done amongst the good guys to join forces, exchange intel, and present a truly united front.
- Finding the right balance of people, process and technology: Machine learning, automation and AI are key tools in a security team’s arsenal. Through uniquely creating and training formalized machine learning team within our security group, we’ve been able to detect threats dramatically faster—while freeing my team from tedious tasks to focus on hairier, big picture issues. But I wouldn’t be doing my job if I didn’t warn: AI is also a powerful and even scarier tool in the hands of the bad guys. Not only that, as companies create AI algorithms and curate massive data sets to train them, this amps up the stakes for security. What if a hacker deliberately manipulates the data training the algorithm, leading the AI to make false or biased decisions? With a lot of talk about AI being used for law enforcement or job candidate selection, the implications are disturbing.
Moreover, automating security is often hailed as a solution to the dire cyber talent gap (with 3.5 million unfilled positions by 2021), but it’s crucial to find the right balance between people and technology. There are times when only the human should be validating complex security decisions. For example, what if the only way to stop a persistent nation state actor infiltrating a hospital is to shut off all power? Pull the plug, right? But what if that same power is feeding life support machines and fueling sensitive communications between a patient’s nurse and surgeon? That decision should absolutely be made by a human who can weigh the ethics of these two—not AI.
In our brave new world, digital transformation demands a transformation at the cutting edge; one in which security is considered from the inception of an idea through the entire lifecycle. And security needs to evolve to keep pace—learning from old mistakes and overcoming new obstacles—to truly enable innovation.