“We have met the enemy and he is us.” – Pogo
By Tim Boivin
The sentiment of Pogo the possum in Walt Kelly’s famous comic strip, although originally published in support of Earth Day, is apropos to cleaning up today’s approach to IT security. The idea of relying on usernames and passwords to enable secure access to the network may have been convenient in days long gone by, when users had to be physically inside your building on your owned devices.
But in today’s modern hybrid enterprise, where users access multiple applications – both local and cloud – from anywhere in the world through multiple devices, credentials alone just don’t make the grade anymore. Simply put, we’ve become our own worst enemy.
The security infrastructure for most organizations today are set up with what they mistakenly believe is a hard perimeter on the outside, yet soft and mushy protection on the inside. You hear this approach championed even by experts who should know better, when they say since bad actors are bound to get into your infrastructure, just focus on mitigating the damage they can do inside. Those experts, many who focus mostly on privileged access management (PAM), are solving just part of the problem. The challenge with PAM is that once attackers get inside the organization, they can quickly and surreptitiously move laterally across a hybrid network to gain access to all your resources – local and cloud – without you realizing it.
Organizations have fought the good battle over the past three or four decades. The result is a mind-boggling array of security solutions to plug the holes that have emerged across today’s hybrid attack surface. According to Cisco, 70% of companies have six or more security solutions. But more isn’t necessarily better. Most of those solutions have their own attack vectors, which create their own unique problems. Twenty-eight percent of organizations with 1 to 5 security vendors report having to manage public scrutiny after a breach. That figure rose sharply – to 80% – for organizations using more than 50 security vendors.
Also, industry surveys consistently indicate that more than 90% of organizations now use cloud applications. Sure, the cloud projects to lower IT costs on the surface, but moving to the cloud also creates more opportunities for hackers to try to gain access to your resources. Breaches that happen due to poor security for cloud applications can add significant costs that may offset any savings you were hoping to realize by moving to the cloud and can put you at even more risk. So why are we our own worst enemy? As the modern hybrid enterprise evolved, we’ve created several ways for users to get access to information they need to do their jobs – VPNs, RDPs, MDM, web-based applications, SharePoint, among others. When we did that, we had to open more ports to allow access for a variety of different situations. This means more attack vectors for the hackers to exploit. With the rise of bots that are constantly scanning for these open ports, we’ve created the perfect attack vector for hackers. Hackers breach the holes in the firewalls with password crackers, brute force attacks, or even real credentials bought on the Dark Web or compromised through phishing attacks.
Once inside, hackers can catalog all your applications and resources and wreak havoc however and wherever they want – ransomware attacks, exfiltrating data, or the compromise of corporate secrets such as market strategies, proprietary designs, and other intellectual property. With so many different applications exposed today on so many different fronts, it’s impossible to keep up. You have to be an expert on every IT security solution, stay current on the latest attacks, and generate updates and patches in a very timely manner for every possible vulnerability. And you have to stay on top of all this every day, all day.
That’s tough for even the best-staffed and best-funded IT security team to accomplish. It’s practically impossible for most organizations who are understaffed. Worldwide today there are more than 3 million cybersecurity positions currently vacant. There aren’t enough skilled people, and there is not enough time or budget in most organizations to be able to focus on all these different attack vectors that you need to protect across your infrastructure.
Your organization is also significantly increasing the chances that it could face steep fines, irreputable damage to its reputation, and even go out of business. Look at the American Medical Collection Agency, which had to file for bankruptcy after 20 million records were breached. Equifax became the first firm to see its credit rating downgraded due to a cyberattack. CNBC even reported that Moody’s is working the risk of a business-ending hack into its credit ratings.
The pain doesn’t stop there. These financial penalties are going to get much more severe as governments continue to adopt regulations such as the General Data Protection Regulation (GDPR) in Europe, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and the California Consumer Privacy Act (CCPA).
It doesn’t take the wisdom of a possum in a comic strip to know that this needs to change. We must come up with a different way of doing security than we’ve relied upon for the last three or four decades. The old days are gone. If you’re not staying on top of the changes you need to protect your infrastructure, you’re significantly increasing the chances of getting hacked.
That’s why Zero Trust’s philosophy of “never trust, always verify” is getting so much buzz. Organizations realize that the aging, complex maze of security solutions they have in place today to protect their infrastructure aren’t getting the job done. Ninety-five percent of companies today either have a Zero Trust solution in place, are researching or piloting a Zero Trust model, or have identified Zero Trust as a potential new investment.
Check in for our next blog post on how to implement a Zero Trust Access strategy that can solve IT Security’s Pogo Paradox for your organization.