The fact is the perimeter is harder to define and harder to defend. Continuing to spend the bulk of our security dollars on perimeter defense strategies is money wasted. We need to find and deploy technologies that make it cheaper to defend networks at the same time making it riskier and more expensive to attack them. I don't see a silver bullet solution on the horizon, so for me, the only reasonable approach is to shift security spending from the perimeter to inside the network. Preventing an adversary from getting inside is still important, but we must harden the interior by making it more difficult for an adversary to see or move inside our networks.
What about the user experience? Does security need to be at odds with how people do their jobs?
FBI agents manage a lot of risk. One risk we all know best is the risk of a mistake made by an agent. We also always had risk of an intentional bad act, the insider threat, a bad agent in our midst. To mitigate these risks, FBI culture evolved to continually ask if a new process or tool was "Agent Proof." This meant that no matter what, the system would detect or prevent a major incident before significant damage was done. This is really hard to do and it often requires a tremendous burden on the agents in terms of limited functionality of the IT tool we had and a significant burden in complying with seemingly endless reporting to comply with the internal risk mitigation controls.
The FBI is not alone in its approach to mitigating the risks presented by its employees. All organizations are forced to balance the access their employees need to do their jobs with the security measure necessary to limit the damage they can do if they make a mistake. The most common security control to manage these risks is the principle of least privilege. This is a simple concept, each employee has access to only the resources they need. In practice, especially for network defenders, this principle is very hard to enforce. That's because networks are typically divided into logical segments. In most networks, a segment has more resources on it than an employee requires. As such, the employee can obtain network access to resources outside the scope of what they need. This is the main vulnerability exploited by sophisticated cyber criminals and nation-states.
To mitigate this threat, CISOs are deploying large teams and significant dollars to creating finer segmentation with VLANS and firewall rule sets. As we move more resources to cloud environments, this challenge will only get worse. We need to dramatically simplify the user access problem. This requires a network to automatically adjust user access, based on policy to ensure users have immediate access to the resources they need - without requiring labor-intensive manual access configuration.
Sign up for CIO Asia eNewsletters.