There are a lot of big cybersecurity threats out there for CISOs to worry about following on from a year of uncertainty. We asked a panel of experts to weigh the risks and consider some safe ways forward.
The cloud, for all its benefits, remains a headache for security professionals, especially following a year when so many remote workers have been relying on it. This is the considered view of Mauricio Sanchez, Cyber Security Research Director with independent analyst firm Dell’Oro Group who headed up a panel of top level cybersecurity experts to mull over the troubled landscape that lies ahead.
“When we talk about the digital transformation of enterprises, moving from on-prem into public cloud environments, it has undoubtedly become a huge security challenge in 2020,” says Sanchez. “It’s all stems from this pandemic and the ways it has hit not just society but the way we conduct our work. Most of us today are probably working from home.”
The cybersecurity issues of tomorrow have already, believes Sanchez, arrived in the form of Artificial Intelligence, the emergence of 5G networks, and the massive explosion of IoT devices: “There are big security issues that surround this trio, and they are opening up a whole new set of threat surfaces,” he says.
Figure 1: The rise of enterprise cloudification
“The market has exploded for public cloud service providers, with 41% compound annual growth from 2014 to 2019,” he points out. “When you look what’s happened to security spend in the same period, it hasn’t been too shabby. Physical appliances probably are not as popular any longer as we move into cloud environments. But they’ve still been growing 7% over the five years. Then you look at virtual and SASE-based security and that has not just kept up, but slightly exceeded cloud revenue from the public cloud service providers. The takeaway is that people are going to the cloud, and they’re spending a fair amount of money from their budgets, on security.”
Figure 2: Workplace reinvention
“Who would have thought that 2020 would turn out as it has,” muses Sanchez, noting how it has caused an overnight reinvention of the workplace. “Using census data as well as World Bank data, I look at just how the world for the enterprise workforce changed overnight. Coming into pandemic, there were about 100 million worldwide remote workers on a full time basis. That pivoted nearly three times from the beginning of 2020 when the pandemic hit. Naturally there has been a lot of discussion about how security strategy needs to morph and evolve to address that.”
So what’s next? Sanchez notes that 5G is going to unleash a network gigabit speeds everywhere, as well as 50 billion IoT devices. Then there’s AI with its ability to unleash innovation in magnificent ways, in areas from medicine to cybersecurity. But all of these new technologies come with a soft underbelly.”
To find out what the security industry is getting right, what it is getting wrong and what the main considerations for the future are, Sanchez quizzed a panel of leading security names.
Dr Ronald Layton is Vice President, Converged Security Operations with consumer banking player Sallie Mae, and a former government expert in the field of cyberthreats. He argues against seeing security as a binary endeavour: either right or wrong: “It’s more about adaptation,” he believes. “It’s about the journey. There’s a big conversation surrounding on-prem to the cloud, the choice being steps or Big Bang. Steps means you do it incrementally, moving some applications. Big Bang means that you’re all in.”
“Native cloud security is never going to cover all the bases, because it’s based upon a Linux kernel, suggests John Kindervag, Field Chief Technology Officer with Palo Alto Networks: “It’s a misunderstanding to think that you can actually secure the cloud based on cloud technology,” he warns. “Linus Torvalds should be the richest person in the world because of what he did with Linux. Without Linux the cloud doesn’t exist, but it doesn’t have robust security features and all hackers know how to bypass Layer Three controls. I feel like I’m living at the turn of the century, back when we were still at Layer Three security and we hadn’t moved up the stack yet. And we need to move up the stack in cloud security and do it as robustly as we do it in our data centres. The cloud provider will always say it’s not my fault.”
Joe Sullivan, Chief Security Officer with web security company CloudFlare believes in looking beyond the technology and thinking more about structural, organizational approaches: “The business-related technology teams are running towards the cloud,” he notes. “While security teams are getting dragged along, and that’s because they have different mindsets. Business leaders are just looking at costs and opportunity, and the cloud provides the efficiency and the ability to focus on the priorities of the business.”
Kevin Deierling Senior Vice President with vendor NVIDIA agrees that technology is lagging a little bit in addressing the security concerns in the cloud: “Many people are still operating on a peripheral security model. But when you move to the cloud you actually need to move up the entire stack. Layer Three isn’t enough, you need to go all the way to the application. And to do that, there’s been a fairly high penalty for deploying software-defined security.”
Automation has to be front and centre, claims Mary Gardner, Vice President & Chief Information Security Officer with F5 Networks: “As we move to the cloud we need to make sure that that we’re building controls that prevent mistakes from happening in the first place,” she says. “Because when we look at it, most breaches in the cloud are human-caused. The more automation we use and the more configuration management we use, I think the more we’re going to be ahead of the curve. And we lower our mean time to detection of mistakes as well.”
Kindervag of Palo Alto Networks can claim to be a bona fide cybersecurity pioneer, having created the concept of Zero Trust: “Remote work is here to stay,” he believes. “We’re seeing people who are actually increasing their productivity because they aren’t wasting their time at the watercooler. If you’re in IT or cybersecurity, the technologies were there and ready to adopt. I had customers who did three years of work in three months, because it was so easy to deploy. Without us in the security sector more people would be sick. We need to understand that we contributed a lot to the health and safety and well-being of the world because we have these technologies in place. Now you can just flip a switch, because these technologies are cloud based, they’re agile, they’re automated.”
Layton of Sallie Mae painted a picture of some modern workplace realities: “We have people who are millennials, who are working in a multi-generational household in their kitchen. Perhaps Mom and Dad and little ones are in the house, and others who have access to their screens. That has introduced additional vulnerabilities that are just flat out difficult to deal with. But there’s an opportunity there, it’s an opportunity to drive the conversation about hygiene, there’s an opportunity to drive individual workplace policies, perhaps have people sign attestations.”
Kindervag of Palo Alto Networks takes exception to talk about people doing stupid things: “I’m tired of us in security blaming the victims, because this is too hard to be solved by human beings. It needs to be solved technologically. Spam and phishing are a technological problem, not a security awareness problem.”
Gardner of F5 Networks agrees that security is predominantly a technology problem: “But I think we’re right in the middle of a transition,” he says. “I came to a technical company from being in health care, and when I was in health care there wasn’t that much money spent on technology, much less security. There’s got to be a pivot, and while we’re in the middle of the pivot what I’m really concerned about is that we’re asking a lot of people to work in a household with children, with nephews, nieces. And we’re kind of asking the lay person to become a network engineer. How do they segment their IoT devices from the laptop that they need to protect? I love technology. I think as security professionals, we need to be more willing to adopt new technologies and more open minded about how we adopt them and enable our businesses to adopt them and our customers.”
All the panellists agreed that COVID has proved what an unpredictable place the world is, especially when viewed from the perspective of a security professional. It is not the kind of profession where you wake up one day and say ‘my work is done’. That may be why people are drawn to security in the first place, for the challenge it represents and its central role in how we live and work.
By Guy Matthews, Editor of NetReporter