Cybersecurity: A Zero-Trust Paradigm for a Perimeterless World
The pandemic has catapulted most aspects of our lives online, redefining the way we think about almost everything. We find ourselves in a world in which more enterprises are migrating to cloud infrastructures and SaaS applications, more of the workforce is mobile and distributed, and more of our identity and interactions are captured digitally. This transformation has been dramatically accelerated and enterprises are increasingly reliant on third-party solutions to help them make this rapid shift. In this new world, we must also redefine the way we think about cybersecurity.
As enterprises shift more workloads to the cloud (expected to grow from 46% of workloads to 64% over the next two years)⁴ and adopt more SaaS products (on average, 36 per knowledge worker),⁵ they are faced with an increasingly nebulous network perimeter, limited traffic visibility, and complex asset and data management requirements. The abrupt shift to remote work means all devices must be considered insecure as most employee devices are now serving as both personal and work devices. As a result, more sensitive and/or valuable data is potentially accessible, by more actors, than ever before. In order to keep up with the pace of change, organizations are heavily reliant on third-parties (from open source code to security tools to cloud service providers.)
Given these dynamics, security professionals must now operate under the assumption that their environments are hostile, that their networks have been compromised, and that internal threats may be just as damaging as external ones. In other words, our security paradigm must shift from one of transitive trust to zero-trust.¹ This new paradigm requires better visibility across and segmentation of sprawling infrastructure; more emphasis on identity, authorization, and granular data management; and less trust assigned to insiders and third-parties.
IBM’s Cost of a Data Breach Study found that breaches were most often caused by misconfigured cloud infrastructure (19%), compromised credentials (19%), and third-party software vulnerabilities (16%.) Each, and why it matters in a zero-trust security paradigm, is covered in more detail below.
Misconfiguration: Cloud Complexity
When on-premise software was dominant, security breaches were usually the result of stolen security credentials or missing software patches.¹ As more workloads have shifted to the cloud, missed updates and patches are less of a vulnerability since automatic patching is generally considered within the purview of cloud service providers.¹ However, as more enterprises shift workloads to the cloud, vulnerabilities from misconfiguration have been increasing. Over the last two years, the incidence of errors leading to breaches has gone up significantly and misconfiguration is, by far, the most frequent error (errors are now second only to hacking as a source of breaches.)⁶
The increase in complexity is difficult to manage. 87% of recent survey respondents run microservices-based apps in containers,⁹ meaning an organization might have hundreds or thousands of instances of an application, markedly increasing the attack surface.¹² Security professionals used to be responsible for a few hundred actions and resources; now, that number has exploded to +40,000.⁷ Amidst this complexity, 73% of companies struggle to clearly delineate between their cloud security provider’s (CSPs) security responsibilities and their own.⁴ While it’s easy to blame the CSPs, Gartner predicts that 99% of all cloud security failures will be the customer’s fault through 2025.
Secuirty professionals also don’t have the tools they need to manage this complexity. Specific cloud security solutions are needed to provide visibility into container, microservice, and serverless architectures; to monitor and analyze transient and elastic workload data; to aid with microsegmentation, and to provide a holistic view of the entire threat surface across environments.⁸ Notably, 93% of surveyed security professionals believe current security tools are ineffective for the cloud.⁸
Why does it matter? From 2018–2020, cloud breaches (most of which resulted from cloud misconfigurations) have exposed 33.4 billion records, resulting in an estimated $5T in enterprises costs.² More specifically, IBM estimates that the cost of a breach increases by 14% if it is caused by a cloud misconfiguration (or +500k, on average.)⁵ Given the potential consequences, spending on cloud security tools is expected to reach $12.6B by 2023.¹⁰
What can we do? In a zero-trust world, enterprises can’t simply outsource cloud security to CSPs. As more workloads shift to the cloud, we need privacy-by-design solutions that protect the data contained in public cloud workloads — at rest, at runtime, and on the network. We need cloud-native security tools that more easily enable micro-segmentation and microservices observability. Enterprises with hybrid and multi-cloud deployments need robust cloud security posture management solutions and visibility into their full infrastructure via a single pane of glass. There may also be an opportunity for CASBs with better granularity, transparency, and authorization.¹⁴
Compromised Credentials: Authorization and Data Security
As workloads move to the cloud, so too does valuable enterprise data. However, security professionals are struggling to keep track of this data and who has access to it. A recent IDC survey of CISOs in the US found that 80% of respondents were not able to identify excessive access to sensitive data in cloud production environments. Accordingly, Palo Alto Network survey respondents perceived their biggest cloud security related threat to be data exposure.⁴
As organizations move to the cloud, effectively managing permissions quickly becomes untenable. The number of permissions to be managed can stretch into the millions, even for SMEs, making it nearly impossible to accurately determine and provision them appropriately.⁷ A growing number of enterprise SaaS applications further complicates the issue. Once users are granted access to an application, they usually gain full access to all the data stored within that application. In this context, managing access and permissions (82%) and preventing data loss (80%) rank well ahead of preventing and fixing misconfigurations (49%) as the top SaaS concerns for security professionals.¹⁴
Without an automated system to determine what the right set of permissions are for each and every identity within this complex system, identities are over-permissioned. Once admin level privileges are given, they are rarely taken away, and a power user might have permission to do 10,000 actions, but only really need to do 20–30 on a daily basis.⁷ Organizations feel pressure to give developers and data scientists nearly unrestricted access for fear of slowing productivity. These dynamics have led to a pervasive “lack of awareness of what data an organization has, where it is, and who has access to it.”³
Why does it matter? The cost of a breach is correlated to the amount of data compromised,⁵ and the type of data effects the impact as well. Concerningly, 80% of the data compromised in breaches contains PII (which costs enterprises $150/record)⁵ and 32% contains intellectual property (which 38% of cyber insurance policies don’t cover.)¹³ Regulatory fines are costly, but the cost of damaged reputation and consumer lawsuits can be much costlier.
What can we do? Enterprises can’t rely on CSPs for data security in the cloud. Under CPS Shared Responsibility Models, the CSP is responsible for the security of the cloud (infrastructure) while the customer is responsible for security in the cloud (everything that sits or runs on that infrastructure.) In a zero-trust world, only authenticated users should gain appropriate access to specific assets for a limited time period, dependent on the context. Risk-based authentication, more granular data controls, and the ability to quickly discover and classify sensitive data are critical in a zero-trust paradigm. SaaS products should incorporate enterprise-grade security best practices (like configuration defaults) and eliminate what YL Ventures refers to as the “SSO tax.”¹⁴ As workforces become more distributed, compliance with data sovereignty laws and secure cross-jurisdiction access and transport will become even more important, emphasizing the need for confidential communications and computing solutions.
Third-Party Vulnerabilities: Secure Supply Chains
Increasingly, large scale applications are subject to open source dependencies, organizations are relying on CSP or third-party vendor security tools, and web traffic is flowing through constantly changing third-party APIs. The chain of third party dependencies makes anticipating the impact of a change to the system extremely complex to reason through and companies are struggling to keep up with diligence on third-party cyber solutions (how much do you know about your supplier’s supplier?)
Why does it matter? Software Composition Analysis (SCA) was already growing more than 40%, driven mostly by open source,¹⁵ but the recent large scale Solar Winds breach has recast third-party dependencies onto everybody’s radar. Discussion about “systematically important” enterprise software providers and product liability are already underway. Organizations should prepare for heightened scrutiny by developing a more thorough understanding of one’s supply chain and their supplier’s controls.
What can we do? The “shift left” is a movement to integrate security into the SDLC at the earliest possible point, directly into the code base when possible. However, the biggest barriers to this shift are organizational, which means that progress may be constrained to the pace of organizational change. In the meantime, automation should be integrated into the entire SDLC process and advanced simulations of complex third-party dependencies should be assessed regularly. APIs must be monitored and protected as aggressively as the perimeter. SOC-2 compliance will only become more important. Third party solutions that ensure service providers meet security SLAs would also be valuable.
Whether it’s advanced data protection techniques that protect data at rest, runtime, and in transit; cloud native security tools that take into account exploding complexity across an elastic infrastructure; behavioral authentication and risk-based authorization solutions that productize the principle of least privilege; or solutions that extend security right down into the code, a new security paradigm is needed to protect our new, perimeterless world.
Views are my own and do not represent the views of Playground Global. If you are working on something related, I’d love to chat.
References
3. Kleiner Perkins: Looking ahead to the future of computing and data infrastructure
4. Palo Alto Networks: The State of Cloud Native Security, 2020
5. IBM: Cost of a Data Breach Report, 2020 and 2019
6. Verizon: Data Breach Investigation Report, 2020
7. Frankly Speaking: Industry Roundtable for the changing landscape of cybersecurity
8. SumoLogic: Cloud Secuirty: What it is and Why it’s Different
9. Portworx and Aqua Security: 2019 Container Adoption Survey
10. Forbes: 2020 Roundup of Cybersecurity Forecasts and Market Estimates
11. Brendan O’Conner: Misconfiguration on the Cloud is as Common as it is Costly
12. IBM: Kubernetes
13. Ponemon Institute: 2019 Intangible Assets Financial Statement Impact
Comparison Report
14. YL Ventures, The CISO Circuit, 3Q 2020
15. Tyler Jewell: The Developer-Led Landscape
