The strategy used to be all about building thick, tall walls and stocking the moat with alligators: the perimeter defense.
Nowadays, IT security staff are better off assuming that the bad guys (and the good guys — employees — sometimes doing bad or stupid things) have already breached the perimeter and are on the inside. Now what?
Article by Linda Tucci in IT Knowledge Exchange.
Emphasis in red added by me.
Brian Wood, VP Marketing
AT&T CSO: Your perimeter security architecture won’t hold — get thee to the cloud
Ed Amoroso, chief security officer at AT&T, knows how to work up a crowd. Speaking at the recent Landmark CIO Summit in New York, Amoroso told an audience packed with financial sector CIOs to run, not walk, to get their data to the cloud. “If you’re not doing it now, run back to your security team and ask, ‘What’re our plans to move to the cloud?’” This was not some sales pitch from a cloud vendor, Amoroso said, raising his voice in emphasis. “I am here as a CSO and that is what I am doing. I am rushing to move things out to a much better model and a much more flexible model — and one that users love.”
Many people would disagree, said security expert Samuel Visner, the panel’s moderator, referring to cloud security, not to the observation that users love cloud. Visner is the general manager of global cybersecurity at Computer Sciences Corp., the IT services (including cloud) provider.
Agree or not, Amoroso said, the status quo no longer holds. Think about it. “Every person in the room is associated with some organization that created security architecture in the mid-1990s — and hasn’t changed it since,” he said. Ignorance in the name of compliance is partly to blame.
“The only reason the perimeter defense is still there, is that we have compliance requirements and we have regulators and auditors who are about 10 years behind everybody in understanding how bad the perimeter is at stopping attacks,” Amoroso said.
Best practices in cloud security?
Cybercriminals (and high schools hackers) can learn the best practices published by the regulators as easily as enterprise security teams can, he pointed out. “We’re talking sophomore year, midterm exam question: ‘How do you break into such-and-such an organization?’”
The perimeter defense still favored by many companies not only doesn’t work, it invites cyber-attacks — from a class of criminal that is smart, vigilant and unnervingly patient. Modern-day adversaries have been known to set up camp in a company’s network for the long haul — months or more — and can end up knowing more about the enterprise architecture than IT folks do. They look for R&D and the labs where it takes place. They pay attention to acquisitions and study the acquired company’s network as another way in to steal valuable data.
So if the cloud is the answer to the modern-day cybercriminal, what then passes for best security practices in the cloud? Amoroso offered up a handful, from encrypting your data to using containers for mobile data to using run-time virtualization to duplicate the data protections you have on premises in the cloud.
“You’re way better off with these kinds of modern protections,” Amoroso argued, because they are not the kinds of things any kid in a sophomore computer class could easily untangle. We’ll dig into that.
Security as competitive advantage
By the way, Amoroso isn’t the only one arguing that the perimeter defense no longer holds. This week on SearchCIO, we have two pieces saying much the same thing. “Block the cyberhacks, play cyberoffense” by columnist Harvey Koeppel, former CIO at Citigroup’s Global Consumer Group, advises any CIO who still relies on a strong perimeter defense for protecting the enterprise to “awaken from your nap.”
Of course, the rub for CIOs and CSOs, is how to drum up the money to pay for investing in new security architectures. One way might be to argue that security is actually a competitive differentiator. Our editorial director, Tina Torode, interviewed IT leaders who are trying to do just that. Read their tips here.