One of the first studies I worked on at CompTIA was our 9th Annual Information Security Trends report. That study was released in February 2012, which seems like ages ago. So many things have changed over the years, but even back then there were some evergreen trends. At the time, 71% of companies said that cybersecurity would be a high priority for the coming year, placing it at the top of the tech priority list. Human error was cited as the root cause for over half of all security incidents, highlighting the challenges involved with a tech-driven workforce. And 74% of companies said that both IT and business functions were collaborating to form new security policies, moving security from an isolated IT activity to a broader business concern.
That report also contained the seeds for the main theme of CompTIA’s security analysis over the past decade—modern security efforts include technology, process and education. This shift in the security approach matches the shift from tactical IT to strategic IT. As companies become more digital, technology spreads through the entire organization and cybersecurity becomes more complex. The three primary components of technology, process and education are only a starting point. Each of those areas has more detail underneath, and all the details are driving companies to form dedicated security teams or work with dedicated security partners.
Recently, a new framework has emerged that provides the proper context for modern security. A zero trust approach is exactly what it sounds like; instead of trusting any individual user or network activity simply because it originates from a known location, everything must be verified. This need for verification drives many different activities and ultimately is the final nail in the coffin of the old mindset around a secure perimeter. In CompTIA’s latest security study, only 22% of companies said they were currently following a zero trust approach, but that number is set to rise quickly in the coming years. Here are four key principles of a zero trust framework.
Risk Analysis
With a secure perimeter, there was little need for risk analysis. All corporate activity simply happened inside the firewall. Now, most activity is happening outside a space that a company controls, whether that is cloud infrastructure or mobile access. Instead of investing in a monolithic security structure, businesses have to secure components individually, and the costs of high security for every component can quickly become prohibitive. The solution is detailed risk analysis on every piece, deciding which are the most critical and therefore require the tightest security. This analysis can extend outside of IT components, exploring external relationships or day-to-day operations. Risk analysis is the starting point for setting a security strategy, but since it is such a drastic departure from the previous way of doing things, many companies may need help going through the steps of a methodology such as the one outlined by ISACA.
Data Protection
After risk analysis has been performed, the next step is to directly secure corporate data. While firewalls will stay in place as part of an on-prem security structure, they are not up to the task of protecting data in all the places it might travel. Data Loss Prevention (DLP) tools are the counterpart to a firewall. These tools are associated directly with datasets and watch for any suspicious behavior while the data is at rest, in motion and in use. While the data itself gets most of the focus, individual applications also need to be secured if they are migrating to the cloud. For companies who are building or customizing their own applications, following DevSecOps practices can ensure that security is baked into any development activity.
Identity Management
Just as the firewall alone isn’t good enough to protect all the data, it isn’t good enough to control user access either. There’s an extra wrinkle when it comes to users, though. With human error as such a big problem, you can’t even trust the people you might let into a secure area. Identity Access Management (IAM) software can provide the oversight and control needed to fine-tune user activity across an entire multi-cloud environment. Of course, technology can’t catch every possible slip-up. The goal of security awareness training is to move beyond a simple check mark showing that employees have been informed, eventually building best practices for everyone using technology in their job (which is practically everyone these days).
Ongoing Monitoring
With a robust strategy in place, companies can’t rest on their laurels. The old measure of success for cybersecurity might have been whether or not a breach had occurred, but in today’s environment you have to assume that bad things are happening constantly. A new part of a defensive strategy is performing network analysis to look for anomalous behavior, and there are also new offensive strategies to test for vulnerabilities. Pulling all this information together can be a chore. Security Information and Event Management (SIEM) tools can provide a dashboard for security activity, and AI algorithms are also being used to help sift through complexity to find suspicious activity.
The zero trust framework is becoming more formalized, with organizations such as NIST describing detailed methodologies. Whether or not a specific methodology is followed, a zero trust mindset can help shape the decisions needed to secure today’s digital operations. The new way of thinking may feel dramatic, and businesses will be pursuing more blends of internal and external resources to cover all their bases. We’ve come a long way in cybersecurity since 2012, but we’ve still got a long way to go.
Download State of Cybersecurity 2020
Learn more about how companies are approaching cybersecurity in CompTIA's latest research report, State of Cybersecurity 2020. Read the report now.