When it comes to setting New Year’s resolutions, most people shoot for the moon. We tell ourselves we will give up carbs, go running every morning, become a vegan or even give up drinking alcohol.
Inevitability, three weeks later, we find ourselves right back where we started.
As security professionals, responsible for keeping the bad guys out and reducing the risk of data breaches, we find ourselves right back where we started too -- we fundamentally do not really improve our security posture, and then wonder why not. We are very similar to our consumer counterparts, because we set lofty goals and unrealistic expectations and above all, focus on the wrong things to do, and then wonder why.
No surprise, I predict next year we will see more breaches, more companies moving to the cloud, more usage of mobile and more IT budget spent on security. You have heard all of this already, so let’s try to all make an impact and improve our overall security posture at home and at work. Let’s face it, 2016 has been a challenging year -- from a security perspective, there have been many notable breaches, topped off with Yahoo’s breach last week.
I have three New Year’s resolutions for 2017 -- one focused on mindset, one on implementing something simple at home and at work and one that is a question you should ask your CIO every month in 2017 until you receive a great answer.
Resolution #1: Mindset -- Rethink Security
This resolution is about thinking differentially. We all need to think differentially to approach all aspects of life, and here I want to think differentially about security – think about identity -- please.
Status-quo today is that:
- Your apps are everywhere -- in your data center, as SaaS apps and as mobile apps.
- Your infrastructure is everywhere too -- in your data center, in virtual servers and in instances in IaaS providers like AWS.
- Your users who access your data are everywhere too, in the office, on the road, as third parties and partners.
…and you’re spending a lot on security, but did you keep anyone out?
So, with this wide net of interconnected elements, where do you start?
You need to start by thinking differently.
How? Well, imagine your internal network is as insecure as the internet. I know it’s tough. It’s like thinking at home your front door is open when you go to sleep. This mindset change is happening at major companies today.
I call this a “rethink of security” because it goes against the teaching of many security textbooks and the classic “hard outside, chewy inside” analogies we typically describe.
The foundation of this rethink is The Zero Trust Model documented by Forrester. To add to this, the Cloud Security Alliance describes their Software Defined Perimeter Working Group as a clean sheet approach that combines “device Authentication, identity-based access and dynamically provisioning connectively" as a solution to the approach.
With this mindset change, the major takeaway is that you cannot trust your network anymore and if you take a paradigm shift and start thinking that your internal “previous secure” network is no longer secure, you’ll start to think differently, take charge of your security strategy and implement better defenses. Those defenses will be based upon securing your enterprise with Identity and Access Management (IAM) – with technologies like two-factor authentication, single sign-on (SSO), lifecycle management, privilege account management (PAM) and auditing, along a maturity path shown below.
Resolution #2: Act Now and Make 2017 the Year for 2FA
This resolution is about implementation.
With 63% of data breaches caused by compromised credentials and breach analysis after breach analysis pointing to credentials, the argument to remove passwords is so strong now that soon employees will be asking why security at their consumer facing sites like home banking, Amazon, Facebook and Gmail are better than what they have at the office. All of these organizations are pushing for 2FA authentication, and, as adoption increases in the customer world, CIOs will be left answering questions why 2FA was not implemented in their own organizations.
The argument that technology is too complex or employees will push back are all based upon legacy thinking. Current generation solutions are simple, cloud-based and leverage a mobile device. The key to implementing 2FA is to have 100% coverage over all employees and all access points -- accessing apps, VPNs and servers. This was never the approach in organizations that did implement legacy 2FA, but now all user access can be enforced with 2FA. Learn more about multi-factor authentication (MFA) here.
Resolution #3: What Are You Doing about Privileged IT Users?
This resolution is about being more inquisitive.
The set of users accessing applications or technology that runs your applications includes:
- Employees: This is typically where most breaches start.
- Senior Management: These are a small set of employees in your organization, but since they have access to more confidential information they are a target for hackers.
- IT Employees: This is a small set of employees (larger in IT centric organizations, like financial service) but these employees have access to all your IT infrastructure, applications and servers -- thus are the prime target for hackers.
- Customers: These are a large number, but they typically have access to a small set of applications or maybe just your website
- Partners: These can be large, but like customers they typically have access to a small set too.
From this set above, the most risk is the IT Employees. We call them privileged IT users, since they have access to your servers in the datacenter or in the cloud on which your applications and databases run on. Stealing their accounts is what the hackers are after, because typically once this account’s credentials are obtained, they are wide open with full access to run any command. If you have ever wondered how millions of accounts are stolen, it’s typically a hack that used a compromised privileged user account. So, your priority is to solve this problem.
So your resolution is simple: Ask your CISO some questions.
- What is being done to secure the IT Privileged User access?
- What is being done to limit their access and entitlements?
- Who has access to the Root account on Linux servers? And, is there anything to restrict their access?
If your organization does not have a strategy to implement privileged identity management (PIM), ask “why?” This should be top of mind for all organizations.
So these are my three security resolutions for 2017. Think Differently, act now and make 2017 the year of 2FA and find out what your company is doing about privileged IT users.
Happy New Year!
Learn more about which security resolutions you should keep in 2017 with our webinar,"Cyber Security CEO’s Predictions and Resolutions for 2017."