Cyber security is, without doubt, the biggest elephant in the IT room. Like the blind men and the elephant parable, security isn’t easy to define and it is seldom possible to claim anything is completely secure. Over the past decade, security has probably been the single biggest inhibitor to the emerging digital transformation.
There are simply too many publicized examples of serious breaches, including loss of data (e.g., identities), loss of control and direct financial cost (such as from ransomware). The Dyn DDOS attack in October 2016 and the recent Yahoo disclosures show that, even in 2016, the security problem has not been adequately solved. It is especially bad when it takes several years to detect the intrusion!
The next big security challenge will be the Internet of Things. The estimate of 50 billion connected “things” by 2020 makes assuring high security into a “never ending story.” Many of these IoT things will be associated with safety-critical systems. It’s hard even to imagine someone hacking your watch and listening via its microphone, but the idea is not that far-fetched.
There is increasing demand for security and privacy to be more than an after-thought. The idea of privacy and security by design was first introduced by Ann Cavoukian and has been taken up around the world. A 1997 book by Don Tapscott and Ann Cavoukian called “Who Knows?” also talked about privacy in a networked world.
Robust security should be a characteristic of any well-designed IT component, network, system and ecosystem. However, purely protective measures will not be sufficient as long as intruders remain both innovative and motivated. No one can predict all possible future threats, especially when the systems are cloud-based, the apps are dynamically composable and most functions are virtualized and/or containerized.
Developers need to integrate security into their software at all levels – infrastructure, platform and applications – and should include standard interfaces to allow security services to be integrated across multiple clouds, networks, data centres and providers.
Basic security requirements include:
- Know the enemy – Collect and filter IT industry information by sharing intruder data and hopefully benefitting from the trials and tribulations of other companies;
- Know yourself (i.e., your own environment) – Keep track of what you have by doing a far better job of asset management than ever before, including both physical and virtual assets, software components, system configurations and change history;
- Stay aware of your world – Watch over your IT environment, including remote cloud services; monitor each application or service to establish a baseline history, to detect unusual activities (much like a bank checks for unusual payment card use) and to detect unauthorized changes;
- Plan for incident responses – Things will happen despite the best defenses, so act quickly and decisively when necessary to minimize loss or damage, and work as quickly as possible when global events increase local risks; and
- Avoid “not invented here” concerns – Take advantage of shared services using an “as a service” strategy to avoid the tendency to “re-create the wheel” for security systems.
Since these security requirements are closely aligned with IT governance and overall systems management they should share the underpinning services and support systems, even if there are third party providers involved.
The three basic approaches to security are:
- Reactive only – wait for a problem to occur (which is usually a given) and then work hard to quickly neutralize the problem and restore normal operations;
- Proactive only – build generic “walls” to harden systems against known threats (at least those known at design time); and
- Combined proactive and reactive – take advantage of all security life cycle processes from a priori protection to intelligent monitoring to post-incident “big data” analyses.
Three options exist for organizations to implement security services, regardless of the approach chosen:
Option 1 – Do-it-yourself: Many organizations have their own security centre of excellence that is responsible for advocating security. Some also have separate groups for privacy oversight. These groups often have trouble obtaining adequate funding and must also compete for expert resources.
Option 2 – Fully outsourced: Another possibility is to outsource most or all security functions to a third party, although accountability must remain with the company. This option can be valuable if a trusted partnership can be established. It is also useful if substantially all assets are cloud-based.
Option 3 – Security-as-a-Service: A SaaS-based approach can be the best approach when selective outsourcing is preferred or when in-house resources are not available. The SaaS approach also minimizes capital costs, encourages state-of-the-art processes and encourages a joint effort that can be better aligned with hybrid cloud environments.
I recently wrote a whitepaper on cyber security as a service, which is available from Stratejm Inc. Stratejm provides a range of security support services that would fit into Option 3 above.
This is what I’ve been doing; your comments would be welcomed!