The Security Spending Paradox
A Zero Trust Security Model Allows Organizations to Align Their Security Investments With What Works Best
In a few weeks, security professionals from all around the world will descend on San Francisco for RSA Conference 2018 to discuss new approaches to information security and how to prevent being victimized by cyber-attacks. As always, the expo halls will be filled with the latest technologies, ranging from Artificial Intelligence, Container Security, Threat Intelligence, and Threat Hunting to Next-Gen Endpoint Security. But are these emerging technologies providing the effectiveness that is needed to defend against today’s dynamic cyber threats?
According to Gartner, worldwide security spending will reach $96 billion in 2018, up 8% from the 2017 spend of $89 billion. This statistic confirms that organization are incorporating emerging technologies in their existing security stack to minimize their cyber risk exposure. Meanwhile we’re experiencing a continuous increase in security incidents. Are these security investments paying dividends?
The security spending paradox is reflected in several recent research studies. For example, a Dow Jones Customer Intelligence study finds that 62 percent of CEOs believe malware is the biggest threat to their organization. In another report, the 2018 Scalar Security Study, respondents rate Network Security (61%) or Traditional Endpoint Protection (49%) of higher (perceived) effectiveness than identity assurance and access controls (18%). Similar results were published by 451 Research in the 2018 Thales Data Threat Report, where network security (83%) and endpoint security (70%) scored highest in perceived effectiveness. These incongruent findings illustrate a lack of consensus in the industry on which attack vectors pose the biggest risk to organizations and the “identity crisis” in security.
Many organizations don’t realize the impact that identity and access management has when it comes to minimizing the risk of suffering a data breach. A post-mortem analysis of the top data breaches in 2017, reveals that compromised identity was the primary vector in these cyber-attacks. As a matter of fact, a whopping 81% of hacking-related breaches leverage either stolen, default, or weak passwords.
In this context, organizations need to recognize that perimeter-based security, which focuses on securing endpoints and networks, provides no protection against identity and credential-based threats. Until we start implementing identity-centric security measures, account compromise attacks will continue to provide a perfect camouflage for data breaches.
Still not convinced? Let’s look at some of the vulnerabilities that could be avoided by implementing identity-centric security measures:
● Insecure and publicly kept passwords;
● Using the same password across different applications and resources;
● One shared password for an entire group (e.g., admins), saved in a central location;
● Reliance on passwords rather than multiple factors (e.g., one-time password tokens, soft tokens, biometrics); and
● Over privileged user accounts being exploited.
Instead of following the traditional approach of “trust, but verify”, organizations should shift instead to a Zero Trust Security model, which assumes that users inside a network are no more trustworthy than those outside the network. The four main pillars of the Zero Trust Security model are:
● Verify the User: Evaluate the security posture of a user based on location, device, and behavior to determine that users are who they say they are. Take the appropriate actions (i.e., multi-factor authentication) to assure user authenticity.
● Verify their Device: Whether it’s a corporate owned, BYOD, or public desktop, laptop, or mobile device, enforce access policies based on the device identity and security posture. Only allow access to the organization’s resources from trusted endpoints.
● Limit Access and Privilege: If the user and device are verified, a least privilege, role-based access model is enforced at the resource, limiting access to what each user requires for their job, while granting just-in-time access to specific applications and infrastructure for a limited timeframe.
● Learn and Adapt: Information is constantly being generated from various sources (from the user, their devices, and all activities related to them). Leverage machine learning to set contextual access policies, as well as adjust and adapt policies automatically.
The Zero Trust Security model offers a very pragmatic blueprint for implementing identity and access management-based strategies to secure applications, devices, data, and infrastructure – both on-premise and in the cloud. Since Zero Trust is not an all-or-nothing approach, it can be implemented in different phases, over time. Using this model, organizations can finally align their security investments with what works best for protecting their business against data breaches.
Torsten George is strategic advisory board member at vulnerability risk management software vendor, NopSec. Torsten has more than 20 years of global information security experience. He is a frequent speaker on cyber security and risk management strategies worldwide and regularly provides commentary and byline articles for media outlets, covering topics such as data breaches, incident response best practices, and cyber security strategies. Torsten has held executive level positions with RiskSense, RiskVision (formerly Agiliance), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell). He holds a Doctorate in Economics and a Diplom-Kaufmann degree.