I was listening in on a recent Gartner webinar (the IT Spending Forecast for 2013) when the answer to a question posed to Analyst Bianca Granetto caught my ear. The question was around how to solve security problems given the recent spate of data breaches (I especially like this visual interpretation of data breaches over the last 10 years from Information is Beautiful). Her answer was along the lines of the fact that compliance, regulatory requirements and security must be addressed up front, or will inhibit business transformation.
I think this is especially telling today, as we’ve reached the stage in cloud deployments, big data usage and in using IT to grow business and services where we are shifting away from just “moving existing applications to new platforms to save money” (typified by the “server consolidation” and “virtualization” waves of the last 10-15 years) to “hunt bigger game”. We are now building applications that create strategic value for the organization – that result in more efficient business processes and better services to our customers (whether those are commercial customers or “citizens”). This is a wave that isn’t anywhere near the peak (it’s more like a 20 year tsunami) – there will be many years of innovation coming as connectivity, connected-ness, process automation and new ideas all take hold and accelerate.
But ...In order to make this continuing vision real, we have to address the IT security issues that are hauling retailer after retailer, and government and healthcare organizations, and anyone else with a site on the internet and lots of users, down – breaches of data that are resulting in a lack of trust and in on-going penalties and problems. Are there solutions for your existing applications and infrastructure? Yes … but these applications were mostly built in the era when you assumed that your firewalls worked, the your end points were safe with AV and that network segmentation and IDS/IPS would catch anyone that managed to get past the defenses. That’s no longer the case today.
It’s no longer a matter of whether you will get breached, but when, and what can you do to minimize the damage before it compromises core assets and huge numbers of records.
But building your new applications to power your organization can be done in a way that promotes security from the start, and that lessens the attack surface available to the people that most want to steal information. It isn’t rocket science, just proper use of existing technology components, and set as a standard operating mode for your development, it shouldn’t break the bank either.
Start with the assumption that the environment that your application will operate within is compromised. That the servers your applications will run on have malware installed, that the network is being ‘sniffed’, that your operator and user end points are compromised. And use this as a basic design premise. And then build accordingly.
What will that mean? There are five focuses we need to build in as a native part of our applications from here forward – data protection, secure communications, enhanced authentication, web reputation, intelligent security analysis
Data protection – That’s a basic here at Vormetric. Lock down your data-at-rest with encryption, tokenization of data masking technologies, control access at both the system and application levels and then collect the information about permitted access to feed into a system for intelligent security analysis and correlation
Communications – Secure every communication: inter-process, inter-server, client to server, server to client, web applications, you name it - using secure off-the-shelf encryption modules.
Authentication – Always authenticate beyond the password and login. Even simple first steps will help right now, such as you see with Gmail – turn on the verification requirement, and every time a new device tries to connect with your credentials, it has to be authorized by your with an authentication code. The military goes way past this with the requirement for an encrypted ID card for connection – but commercial organizations don’t need this level for now. Build something in as a starting point, make it an easily replaceable module in your architecture, and enhance as required.
Web reputation – Look at where the access and transactions are coming from, if it doesn’t make sense, flag it for analysis.
Intelligent Security Analysis – feed in your system monitoring information, data access information, web reputation data, anything and everything relevant to security into a state of the art SIEM or Big Data for Security implementation and look for patterns for allowed application and user access.
With this combination you prevent many of the attacks that result in the compromises we see today or minimize the losses by recognizing and shutting down attacks before huge amounts of data are lost, and (bonus) you’ll find it easy to meet nearly every compliance and regulatory mandate on the planet.