It’s coming to that time of year again: time to engage in a bit of introspection on the recent past and to look ahead at what the next year in cybersecurity will bring.
Way back in January of 2004, a loose alliance of CISOs called the Jericho Forum was officially founded (the actual work began in 2003) to define and promote the concept of de-perimeterization (technically, it was de-perimeterisation since the term was first proposed by Paul Simmonds and the inventor should get to choose the spelling). Jericho Forum took the position that the traditional network perimeter was eroding, and organizations hadn’t internalized the security impact of such a drift.
At the start of 2020, many of the concepts expressed in documents published by the forum between 2004 and 2013 (when Jericho Forum declared success and merged into The Open Group) had come to be broadly accepted. But still, many organizations held on to a loose concept of a secure network perimeter while slowly adopting an architecture called Zero Trust to better deal with the increased prevalence of SaaS applications.
Then the pandemic hit. This turbocharged several trends which were already in flight: (a) the move to software as a service (SaaS) applications in preference to their on-premise counterparts, (b) the move to cloud service providers in preference to adding more racks of equipment to owned or leased data centers and (c) allowing remote users to connect directly to cloud-based applications without using a VPN (often dubbed mobile-to-cloud). Trends (a) and (b) were driven by the desire not to rack-and-stack gear (hard to do during a pandemic)—trend (c) resulted from the need to send all workers home while realizing existing VPN capacity was insufficient to provide secure (and performant) connectivity to all of them.
The turbocharging of these trends came in the form of certain plans for the next 12 months being executed during the first week of work-from-home mandates. And 5-year plans about moves to SaaS and cloud suddenly became 24-month plans.
The security implications of such moves are profound. Rather than de-perimeterize their networks by letting things like not-so-trustworthy internet of things (IoT) inside the perimeter (that has been happening for a while as well), organizations have inverted their architectures by kicking most end users off the corporate network and by moving most applications to the cloud—either in SaaS form or by utilizing infrastructure as a service (IaaS) and platform as a service (PaaS) supplied by the likes of Amazon, Microsoft and Google to run their own applications in the cloud.
As one looks ahead to 2021, it is clear that the pandemic will continue to constrain where your employees can work and how difficult it will be to access your own physical data centers. And even as these restrictions (hopefully) begin to lift in the second half of 2021, the changes wrought by the pandemic are here to stay: to wit just because employees can return to the office doesn’t mean they will want to go there every workday. So remote work (even if only in hybrid form) is here to stay.
It follows that your security architecture needs to handle employees working from unknown locations (with dubious network security) as a primary use case. So, make sure your employees’ laptops are hardened to a degree where you’re reasonably comfortable in their ability to fend for themselves in the big bad world. In fact, investing in any security which protects end users only when they are in the confines of your office is a waste of money. This generally means investing in a modern endpoint detection and response (EDR) solution (note that “anti-virus” has officially become a pejorative term). And it means that if you want to intermediate a web proxy (officially called Secure Web Gateway by Gartner) between end user machines and the big bad internet, you should invest in one which is delivered in SaaS form.
In providing your end users with access to corporate SaaS applications (Office 365, G Suite, Salesforce, etc.) and in-house applications delivered via your cloud footprint (on AWS, Azure, GCP, etc.), consider moving your identity infrastructure to the cloud. So rather than having (on-premise) Active Directory (AD) be the center of your identity universe and synchronizing some of its content into Azure AD or Okta or some other cloud identity provider (IdP), consider moving the center of gravity to the cloud and refactoring your on-premise use cases to fit this architecture. Also, move from legacy VPNs—which provide access to the entire network—to Zero Trust Network Access (or ZTNA, an acronym which just flows off the tongue) to provide access to only the applications the end user should access.
Finally, having kicked all your applications out of your network, you need to regain visibility on who is doing what to your critical data. Would you know if a (persistent) fox had gotten into your (SaaS-delivered) henhouse? Network detection and response (NDR) is a recently standardized category which detects attacks and responds to them without relying on agents running on endpoints (EDR). While early version of NDR focused on traditional networks (they only processed packets), modern NDR embraces threat detection and response in this new hybrid/balkanized network which includes IaaS, PaaS and SaaS, and unifies visibility into attack progression into, across, and throughout this new network.
The changes security teams are implementing as a result of these trends will make us more resilient to attacks and more agile to deal with the inevitable changes which organizations undergo. This will not be the last emergency we will deal with in our lifetimes though others will hopefully be of a much smaller scale—and we will be much better prepared to deal with an emergency the next time around.