Today, more than ever before, businesses are aware that criminals, governments, armies and competitors are after their data and corporate survival is at stake.
Just this week, eBay has confirmed that a database containing users’ passwords was hacked back in late February and early March, and the company is telling all users to change their passwords. It has been able to narrow down the attack to a small number of employee login credentials stolen by cyber attackers.
There’s no point in over-investing in state-of-the-art perimeter defences if a company can’t mitigate the risk that is left by own employees not to be fooled into leaving the door wide open for cyber criminals. Collective mistrust is no longer a sign of paranoia but has become a guiding principle of IT.
IT security no longer needs to decide where to draw the line between trust and mistrust. It has to mistrust everything and everyone. Every application and every piece of hardware can now be hacked leaving us with the stark reality that organisations need to build zero trust environments to survive.
In order for an organisation survive in a zero trust environment, it is imperative that change is instigated at board level. Change must be reflected in behavior and policies to ensure that that sensitive data is protected and companies stay in business with their reputation intact.
There are four guiding principles that a CIO can follow to ensure that they are heading down the right route.
1. Trust no-one. Not the fridge, not employees
Historically, IT security is a bit like a tortoise. An impenetrable shell provides protection against attacks and the vital openings to the outside world are small enough to be protected.
However, over the last decade, our reptile-like security began to face new problems. The frequency of attacks grew exponentially and attacks became more targeted. The number of components used became more confusing and ultimately, with the invention of the iPhone, users began actively drilling holes in the shell from the inside.
If a firewall or an internal guideline got in the way, employees found creative alternatives for circumnavigating these. For instance, using unchecked cloud storage such as DropBox or GoogleDocs. No IT manager can keep this in check.
This problem extends to hardware too, more so than ever with the growing trend towards an Internet of Things. When everything is networked, every single device becomes a channel that attackers can penetrate, steal from or corrupt.
As such, the basic framework of the zero trust environment is clear: critical infrastructures must be protected against other IT components and users by additional, intelligent security gates. Each query must be checked, each suspicious act prevented and investigated.
2. There are off-the-shelf products, but not architectures
Setting up the architecture in a logical way is still very simple. However, the implementation into a physical architecture is anything but straightforward. Every location and every external user in a home office or on the road needs their own security structure. As a central element of almost every IT infrastructure, the cloud is an additional factor that complicates the situation further.
The tools used to manage a secure environment – firewalls, web application firewalls (WAFs), application developer controllers (ADCs) – are given completely new tasks. They not only ensure security as a border guard does, but also direct and optimise the data flows like a traffic policeman.
However, the physical implementation of the simple zero trust logic is also fundamentally different in each case because each company is unique too. To put it briefly: there is no off-the-shelf infrastructure anymore.
3. A fixed IT budget item for drinks
Politicians in Europe are recommending that 10% of an IT budget should be invested in security. Really? Is it truly necessary for politicians to dictate a recommended spend without any idea of the type of business and the risk it is exposed to? It would suggest to me an insular approach born out of an outdated view of IT.
Technology has moved on in a big way over the last decade. IDC summarises this seismic shift by describing a new platform for IT: the third platform. The basic principle is that architectures are no longer dominated by mainframes (first platform), nor by client-server concepts (second platform). Today, modern architecture has moved on to be built on mobile devices, cloud services, social technologies and big data. These technology developments combined encompass the third platform for IT infrastructure.
For businesses, the ‘third platform’ means that the integration of IT with other business areas is more important than ever before. Sector and company-specific approaches must be guided completely by the business requirements. This signifies the end of the IT department as a team of isolated experts and, as such, the end of the CIO as we know the function. The CIO is dead. Long live the CIO.
The CIO of tomorrow and his team will need to spend time with specialist departments within an organisation, such as HR, quality control, purchasing, sales, customer service and marketing. He or she will be involved in planning from the outset and be responsible for ensuring that IT enables and delivers the performance that the business needs.
Communication will be paramount here, a skill the IT department hasn’t won awards for in the past – hence, the recommendation for a fixed-line item in the IT budget for buying beers.
4. Tighten the reigns
Zero trust environments built on the third platform demand an autonomous management style from the CIO.
On the one hand, the CIO must keep a tight hold of the reigns to maintain control of their IT kingdom. They need to guard against and stop IT proliferation and every-day sabotage by employees. However, if they strictly forbid department-centralised IT, then employees will find other ways.
The CIO must understand their requirements, have the courage to reject extravagant demands, and find creative compromises.
>See also: Changing roles: the CIO as transformer
In summary, whilst we live in an age where nations ‘charge’ other nations with corporate espionage offences, today more than ever data and corporate survival is at stake.
Collective mistrust needs to be a default setting for a CIO. Communication, diplomacy and negotiation have become the core skills needed to maintain control within a zero trust environment.
Sourced from Dr. Wieland Alge, VP and GM, EMEA, Barracuda Networks