The need for a Security Transformation has been clear to our industry for quite some time. The struggle to protecting our content and transactions in today’s business environments has been the main focus as they are no longer in our Enterprise. The use of cloud services, mobile devices, personal devices, etc has created a significant challenge to each and every one of us. Without a real Security Transformation we’ll continue to have significant breaches, lack of transparency and accountability across industries. The question isn’t if we need a transformation it’s what does that transformation look like.
Rules of the New Security Model
- Networks now extend from our Enterprise network to the entire Internet itself and as such the new services need to as well.
- Cloud Providers must accept their role and drive services to support it. This includes both API’s and complete transparency in how services are delivered.
- For practitioners, the enterprise corporate network is now, inherently, no more secure than the Internet based services.
- The migration of content and transactions to the cloud providers is key to reduce the client side security risk. Resulting in increased “any device” support and security dependencies.
- Application security becomes important in two areas. The first is the cloud providers application security model and the second is client side applications.
There are four main areas of the transformation (Control Solutions, Cloud Providers, Security Practitioners and Supporting Ecosystem).
Controls and Services Representation
A controls model has been the longstanding standard to model security. With that we have three main control areas that should be reviewed to determine how they are applied in this new model.
• Preventative Controls are intended to prevent an incident from occurring
• Detective Controls are intended to identify and characterize an incident in progress
• Corrective Controls are intended to limit the extend of any damage caused by the incident
- Application security is the highest priority to address. Today, the development of applications has been outsourced, distributed, driven to online services and, in some cases, completely migrated to outside data centers like Amazon.
- Companies: SourceClear
- A difficult challenge, but the ability to centrally manage the configuration, apps, events and content that must be abstracted across the Enterprise and “cloud providers” is critical to security but also to overall management.
- Companies: CloudPassage
- A mainstay in the security model for decades.,the ability to filter content, restrict access and perform AV scanning is key to ensure the protection of content and transactions across devices. However, IT Transformation is rendering the classic Enterprise Network Protection layer increasingly obsolete.
- Companies: SkyHigh and zScaler
- The methods of protecting that content in the Enterprise is obsolete as it needs to be accessed, interacted and shared security with anyone at anytime to facilitate the business. Doing this to ensure regulatory compliance and defending against targeted attacks is paramount (to what?).
- Companies: Box, DocTrackr
Identity, Authentication and Authorization (IAA)
- The impact of IT Transformation on IAA has paved the way for increased attacks on identities and fractured use of authentication across cloud services and a management nightmare relating to onboarding and off boarding processes.
- Companies: Okta, Ping Identity,OneLogin
- One of the most interesting areas is the consolidation and management of an ongoing Enterprise problem, secret management. Themanagement of secrets (keys, certificates, etc) has been an ongoing problem. When layered with the need to manage these across 3rd party vendors it becomes even more complicated.
- Companies: Dark Matter Labs, Venafi
- There has been a significant increase in the amount and complexity of attacks in the past ten years, particularly on mobile and cloud services. This only underscores the dramatic need of a new monitoring mechanism that can encompass the entire ecosystem.
- Companies: Exabeam and Fortscale
- In an this new environment, the need to identify and manage vulnerabilities extends to devices and applications on the Internet, including company-owned workstations at people’s homes as well as the cloud providers themselves. For a proper and mature security management model the vulnerabilities of all environments where content and transactions needs to be managed.
- Companies: Qualys and Risk IO
Governance, Risk and Compliance (GRC)
- The continued progression of the IT and threat landscape has driven an ongoing need for a mature GRC platform. This platform drives coverage of not only internal systems and processes but coverage for 3rd party risks.
- Companies: Allgres, Brinqa, MetricStream and Xactium
- An organization’s operational ability to provide required services now is dependent on third parties, creating a need to extend standard incident response processes. This can be significantly challenging if cloud providers do not provide operational and performance alerts.
- Companies: Service Now and Pager Duty
Legal and Investigation Support
- With content and transactions residing outside of our control we must move the support ofeDiscovery, legal holds, and employee investigations to providers and devices
- Companies: Yanna Technologies
- The ability to respond to an incident, regardless of severity, requires the ability to apply a command and control capability to the endpoints, networks and applications in question. This becomes very challenging when those devices are no longer on your network or even under your control.
Control Solution Needs
The needs of a configuration management tool are not amazingly different than what they are today. They do differ in some key areas though
- Ability to manage devices in and out of the Enterprise (Amazon)
- Ability to manage 3rd party application layers (SalesForce.com, etc)
- Ability to identify and manage roaming devices (mobile client devices)
Application Security has been problematic well before IT Transformation and the need for a Security Transformation. In the new model, however, the recognition that development is completely different than what it was even ten years ago. With that the needs include:
- Ability to integrated with local and cloud code repositories (GitHub)
- Ability to integrate with all IDE’s that a developer could use
- Include a social capability to allow developers to communicate problems and solutions. This should be both internal to the Organization and external.
- Common Problem / Solution sets where reuse can take more of a foothold than today
Network protection has always been a key component of the overall technical security control set. The new alterations should include:
- Ability to provide device protection regardless of where that device is. This is considered a “Proxy in the cloud” model
- Asset control system to manage access for Enterprise, mobile, production vs. corporate separate
- Integration with Identity Providers (Okta, Ping)
- Standard AV, DLP, Content Restrictions, IDS, IPS
Content has been a long standing problem in all Enterprises for the past 40 years. The ability to centralize that unstructured content for support of mobile gives us an opportunity to solve some of those problems. The solution should include:
- Integration with 3rd party Identity Providers
- Full authorization capability for all content
- Facilitation of many to many sharing capacity
- Support for 3rd party DRM solutions and standards
- Support for 3rd party DLP, AV, etc solutions
- Full API capability for Enterprise integration and use.
Identity, Authentication and Authorization (IAA)
These new services, not only need to resolve the controls of the past, but also need to drive new capabilities for the future. The following are key capabilities the IAA SaaSneeds to support
- Identity Federation
- Strong Authentication
- Assisted Machine Learning algorithms for compromised account identification
- SAML support
- Support for multi identity support (individual, group, process, device)
- Support for device authentication
- Support for identity verification (individual and organization)
The ability to provide a monitoring control in this new environment drives it to be a SaaS. The requirements must also include:
- Other than regular expression and correlation there needs to be two more analysis. One is true anomaly detection to identify anomalies in all logged events. The other is a assisted ML algo to interpret both the anomalies but also specific attack classifier
- Managed service support for the ML and other components
- Existing adapters to ingest logs from key cloud providers as well as internal devices
- Ability to share and interact with internal and external parties regarding incidents. This should include the translation of attacks into zero attribution methodologies
- Support for a threat response capability
The requirements include, but are not limited to:
- Ability to include vendor provided vulnerability scans
- Tracking of devices on a dynamic IP basis
- Support for internal enterprise scanning
- Interoperability with SaaS GRC’s
It’s important to note that the ability to prioritize those vulnerabilities for remediation from any tool is also an important consideration. Where most of those advanced capabilities reside in a GRC a lighter vulnerability prioritization can be important.
Governance, Risk and Compliance (GRC)
The new model of GRC needs to include:
- Inclusion of 3rd party cloud providers compliance, vulnerability and other data
- Mapping of an organizations Revenue, Reputation and Operational risk to all devices and providers
- Revenue - Integration with the organizations general ledger
- Reputation – Ability to map the organizations content and transactions to location
- Operational – Mapping of devices to organizational operational importance
The ability to respond to an incident, regardless of severity, requires the ability to apply a command and control capability to the endpoints, networks and applications in question. The new service should include the following:
- Ability to access devices for remediation (mobile workstations, enterprise systems, etc)
- Integrated ticketing system that includes Enterprise and 3rd party vendor’s systems
- Workflow that supports the incident process and includes the Organization, outside counsel, 3rd party vendors, law enforcement, etc depending on what the situation requires.
- Integration of “attribution free” 3rd party incident methodologies
- Integration with Enterprise and SaaS SEIM tools
The ability to perform standard incident response capabilities is a direct ability to security response. The ability for an Enterprise to operate in this new IT Transformation model drives requirements on the core IT incident response requirements.
- Ability to monitor all Enterprise and 3rd party systems and applications
- Ability to integrate with vendor’s incident response system for ticket management and alerting
The cloud providers in the new model have both an opportunity and a risk in meeting the Security Transformation. One of the key concepts that needs to be considered, when discussing any vendor is one of accountability. Since security accountability cannot be transferred to the vendor the onus is on the organization to ensure all controls are implemented and working effectively. A significant amount of, what we call “Transparency”, is not currently being provided. It’s this transparency that needs to be provided for organizations to realize the new security model.
Transparency includes multiple things. The first is the ability to provide their respective customers the complete transaction logs of their accounts and activity. This, currently, is very rarely being provided outside of a very few providers. Organizations need to marry the activity they see in their environments to that of their providers to be able to identify organizational attacks. This can only be done if there is complete transparency.
Another layer of transparency is one of audit and reporting. The main method of assurance relating to security is encapsulated in an audit report. However, the audit report is generally high level and does not detail out the particulars of issues identified. To truly realize the Trust that we strive for there needs to be a transparency in all that is good and bad. This can only be done if the full working papers are provided in support of the audit opinion.
Security practitioners are critically impacted by this change in IT and Security. The skills that are needed to protect an enterprise are very different than that of protecting and managing vendors. Where the need for security to protect systems under management will not go away it is and will continue to decrease dramatically. As a result the skillsets of the security organization will change.
- Audit and Compliance Execution – With the migration of devices to outside parties the need to audit the configuration, networks and subsequent processes decreases.
- Security Process Management – Due to the lack of systems and applications under management certain processes are either deprecated or completely removed. Change Management and SDLC are probably the two most significant ones.
- Application Security – As a general rule, the majority of corporate software development is to facilitate corporate functions. The need to focus on application security at an enterprise level nearly is removed due to the fact that the development is done by 3rd parties or the service itself is completely outsourced.
- Vendor Management – With an increase in outside vendors for security and IT drives a strong need to manage those vendors based on contractual and results based expectations.
- Risk Program Management – As with any security group, risk management
- Security Process Management – Where the decrease of certain processes are based on the removal of devices there are increased needs for process security. Mostly notably the procurement process
As with any function in today’s world there are wide rangesof supporting ecosystems that assist in enabling it. In security and in the Security Transformation, there are a few 3rd parties that will have to undergo their own changes to support the model.
Security Vendors – The introduction of the new security vendors providing the Security Transformation services will dramatically disrupt the existing security vendor ecosystem. As it stands today, the instantiated security vendors derive the majority of their revenue from anti-virus, compliance, firewall and PC endpoint protection. In all of these cases there is a downward force of economics being applied, which could, without significant acquisition, create a collapse of those businesses. Typical innovation does not occur in large organizations by normal course so the main method is that of acquisition. Yet, the new security vendors appear to be highly resistant to an acquisition exit and look to completely upset the incumbents.
Audit and Compliance – The need for a new level of audit and certification for cloud providers will become an important driver. There are two main things that need to be driven in an audit of cloud providers today. The first is maturity model capability. We have two models today certification and assessment. While important and useful we need to have a maturity model audit of cloud providers to put their security standing in context for customers. This is so they can assess the necessary level of security depending on the severity of their content / transactions. The second thing is transparency. Today results are handing in the form of a certification letter or auditor attestation. For customers to gain Trust we need to require the entire working papers to be provided. It's only through this open level of transparency will we gain a level of trust in execution.
Consulting – With a higher importance on risk management across the entire security ecosystem there should be an increase in the maturity of the risk management function. This will drive a higher requirement of consultants to focus on the total security ecosystem of a customer and provide a holistic risk management consulting view. This view should include all the company's 3rd party vendors, in context to the content / transactions they manage, and their respective risk standing.