CISOs regularly complain they don’t have enough money to do everything they want to secure the enterprise. But is more money the only answer?
No, argues Todd Bell, VP of enterprise architecture and security for Intersec Worldwide, a California based security consulting firm, and CISO for Forticode Ltd in Australia. You can go a long way to reduce risk by having a crafty IT architecture.
He’s not arguing that improved security won’t cost money: In fact, some of his recommendations, such as implementing a zero-trust model of security may be expensive depending on your current architecture. But his point remains: Buying the latest technology may not bring the result you need. “More tools are not stopping security breaches,” he argues, “they only slow them down.
His first point is to stop assuming the internal network is safe after all the firewalls and endpoint protection you’ve erected. That’s the hallmark of a zero-trust network — don’t trust where the data is going internally. And, as an industry analyst told me, a zero trust network is designed to work with off the shelf technology, Kindervag said. Because its data-centric the network doesn’t have to be ripped apart.
Bell’s other steps include
–Focusing on the critical systems (those with personal, credit card and intellectual property) that matter for data protection “Do your best with the rest of the company environment,” he says, “but don’t put your career on the line with battles that don’t matter.”
–Using the concept of virtualization to overlay the desired security architecture into the existing architecture — no need to move any systems. Create a “security zone” around every server with sensitive data that becomes isolated from the rest of the internal network.
–The security zone is a low-cost firewall in front of the server with very few rules or ACLs. The security zones communicate with each other through point-to-point encryption. Other connections for monitoring server health/status go through non-encrypted communications through the security zone firewall.
–Creating a virtual “network overlay” using the security zones to compartmentalize sensitive data for existing systems instead of migrating them into a traditional security enclave/VLAN and to avoid disrupting the business. Security zones will communicate via VPN or TLS between each other through a protected encrypted tunnel.
–Utilizing a “jump-box” in front of each sensitive data server to track all access. Add two-factor authentication for critical servers for each security zone. The jump box will log and control all access to each security zone.
Other parts of the strategy include application level encryption, not database encryption, so a database administrator can’t look at sensitive data; use the slit-key method of storing encryption keys on different servers with file directory permissions; consider splitting data for improved security; and use asymmetrical network routing to the Internet by splitting network traffic to reduce the threat of malware packet sniffing.
The bottom line is there are many strategies a CISO can take to reduce a risk profile and still stay within an existing budget. See if this approach meets your needs.