Vasco Gomes, Global CTO for cybersecurity products, senior expert, member of the Scientific Community at Atos, and ITEA cybersecurity international customer workshop organisation committee member, puts the customer firmly in the driving seat when it comes to choosing the best solution for cybersecurity – a unique tool for several features or a mix of several tools in a best-of-breed approach?
When developing cybersecurity tools and solutions, we need to realise that if our solution adds complexity to corporate teams that are already under intense pressure, the customer will fail, and so will we. On the other hand, we must also realise that cybersecurity is a necessary layer on top of vulnerable technologies that are ‘piling up’. So should we be building tools from a legacy perspective – new tools for old problems – or should we be looking at the situation from a different perspective? We have to be conscious when we build new tools that the customer has limited (human) resources to handle them. We have to bear this in mind, whichever solution approach we use. There is quite simply a huge shortage of Cybersecurity skilled talent. It does not matter how much you loosen your purse strings, you can’t buy what’s not there! It is clear that demand is outpacing supply, and this gap is widening.
Time is money
So how do we proceed? Security by design is essential. In other words, by preparing from the beginning and taking account of future trends and threats, security becomes not so much an add-on but an integral feature of the corporate strategy. Of course, to do things this way requires time in the initial phases – proper planning, in-depth consideration, analysis and all kinds of things that get in the way of time-to-market. Given the criticality of time, companies are not keen on losing money and a competitive edge. If that is not enough, there is another essential component: experience. Think of the introduction of a new technology like 5G. It takes time to gain experience of the issues and problems so that you can build an effective and sustainable solution. On the security front, you always have to imagine that there is someone else somewhere who is smarter than you, who has the time that you don’t have to acquire maturity. That’s the reality.
Single pane of glass
When security vendors build hardware or software to mitigate security issues, they investigate new technologies and protocols, and explore how these might be attacked or abused. Without wanting to overcomplicate matters – and it’s already pretty complex – we need a solution that can present a ‘single pane of glass’. One console for both the old and the new. An example of this would be a central network communications filtering console consolidating and updating policies across physical firewalls, virtual firewalls as well as micro/nano segmentation, at every workload layer. But to achieve this, we need to have open collaboration and standardisation. This is even more necessary when we consider that the situation is shifting from a static, manual response to a more automated, dynamic and proactive set-up. The Cloud offers opportunities here for security. Security can adopt cloud-native technologies so that when the system administrator deploys new systems, they also configure the Security settings that are deployed and/or updated at the same time, achieving “Security as a code”. Efficient and effective.
Technology landscape growing in complexity
Medium sized and large enterprises are having to cope with an increasingly complex information system, with the danger that their information systems do not engage in a technology change but instead pile up technologies. Decommissioning old systems relying on legacy technologies can sometimes prove difficult because of dependencies, and information technology teams may be able to dedicate their attention to only a few technologies as their focus may be geared to application migration (customers complain they are in a continuous migration which is impossible to manage). Security is only as strong as the weakest link so all technologies, applications, infrastructures, etc. must be addressed and their risks assessed. This leaves the Chief Information Security Officer with a complex situation where new technologies need to be studied in detail to understand their risks without abandoning legacy environments where new vulnerabilities are discovered daily.
A change in mindset
But cybersecurity skills are scarce (around 3 to 4 million unfilled jobs worldwide, depending on available studies) and the problem is growing exponentially. Those scarce existing resources need to cope with new technologies and/or help the non-Security specialists to think out of the box on created flaws and risks. In the (ISC)2 Cybersecurity Workforce Study of 2019, the qualities to be an effective cybersecurity professional were cited as having “a broad, detailed understanding of all components of IT, and those with cybersecurity certifications have skills far beyond what is required of other certifications.” This is echoed at cybersecurityventures.com: “Every IT position is also a cybersecurity position now. Every IT worker, every technology worker, needs to be involved with protecting and defending apps, data, devices, infrastructure, and people.” But this being the case, the question is how do you get people to think out of the box on the flaws generated by their creation? How do you establish the mindset in someone person from one moment to the next? This is indeed the major challenge of “Security by design”. How can you envisage all the possible misuses of your creation?
"Gone are the days of siloed IT and security teams. All IT professionals need to know security – full stop. Given the complexity of today’s interconnected world, we all have to work together to support the protection of the enterprise.”
Cybersecurity skills need to be holistic
A lack of coordination across the skills chain along with inadequate, slow and inefficient security intelligence sharing is symptomatic of the fragmentation that continues to hinder the cybersecurity solutions. Different security tools are barely compatible (standards and protocols do exist but not enough) and information exchange is a difficult matter when the main security responsibility is to protect confidentiality (with integrity and availability not forgotten hopefully). In a recent ITEA article, Pierre Barnabé, Senior Executive Vice-President, Head of the Global Division Big Data & Cybersecurity within the Atos Group, referred to the four ages of cybersecurity . “Now we are entering the third phase, which is dynamic protection and cooperation.”, he said. This new phase is considered a turning point because, in such a sensitive situation, the willingness to cooperate could be undermined by proprietary business interests. Furthermore, the growing investment by companies in cybersecurity attracts thousands of new actors but marketing messages blur the lines, making the “reading” more difficult. Every new actor brings a new approach. How are companies expected to cope and compare? How can we avoid yet another security tool pile-up?
What can we do?
When we develop cybersecurity tools and solutions, we need to keep these issues in mind. The customer should gain more digital sovereignty rather than have it taken away from him. He should be in the driving seat. Here is a checklist of eight steps towards a successful cybersecurity approach:
A) Design security tools with the single pane of glass
- cover different IT technologies centrally, take the complexity of other technologies inside the security tool and out of the customer’s hands.
B) Openness and compatibility
with others Cybersecurity solutions
C) Make security settings more dynamic
- According to attributes : requester role, origin, device integrity, geopolitical divide, network trust score, data classification, etc.
- Adapt near real-time : known attack surface, risk context, threat intelligence
D) distinguish competitors from adversaries
- We face the same threats, we help the same customers.
- AI everywhere
- Help customer to focus his scarce cybersecurity teams on higher value added.
- Make reviews easier and faster.
- Clearer reports focusing on what matters.
F) Every decision should be risk-based
- Recognise that every risk mitigation has a “non-financial” cost (time from people who could focus on something else, or reduced business).
- Take the larger context into consideration.
G) Intelligence sharing
- From the wider situation, for more context across environment and markets. What is happening elsewhere should shed light on what is happening here.
Applying a control should depend on the visibility and context. Must also adapt to the device, the vertical/industry, the geopolitical divide.
- But also share your findings and conclusions. Participate. But how? There is the need for more standardisation from the industry.
- This one is difficult but vendors (not only in cyber) need to accept to “not lock in”. customers. Standardisation and interoperability will come with portability.
- Think of bringing more value, not taking others vendors’ possibilities away.
- This is a major challenge when we see how some world’s biggest vendors try to lock their systems giving customers no choice but to buy more of their services.
- It is no coincidence that Open Source has gained so much momentum.
Despite all the issues, fragmentation, complexity, geopolitical shifts and pandemics, there may be a silver lining for (cyber)security customers. There is a route through the overgrown forest of vendors, there is a way to sort the wheat from the chaff, strength can be gained in numbers through (open) collaboration. And (cyber)security solution providers can polish the silver lining by removing the complexity and confusion and helping to create a mindset among users in the new Cloud environment. The saying ‘Every cloud has a silver lining’ rings loud and clear here – there are ways and means to get a solution that works to protect everyone. Now it’s a matter of getting everyone onside and heading in the right direction. As Philippe Letellier ITEA Vice Chairman said, “The ITEA Community is a very convenient vehicle to organise such partnerships to push innovation and to protect our digital society. ITEA is dedicated to digital innovation, users and market impact oriented. Take advantage of the next ITEA Call for projects that opens in September to build the future of cybersecurity.”
Let’s embrace the 3rd age of Cybersecurity together.
Identity And Access Management
- the IAM (Identity And Access Management) systems of Cloud Service Providers are somewhat different from one other, which adds an additional layer of complexity to customer migrations. By API (Application Programming Interface) calls, a central IAM solution should automate the customer user provisioning and deprovisioning accounts, as well as maintain consistency over time (governance, recertifications, internal roles shift…), matching those diverse IAM systems and relieving customer of that complexity.
Central IAM systems should provide customers a unified administration console to facilitate control of their users’ access and roles, the review and recertification of accounts and a full traceability of users across multiple complex environments, without having to log to each of them: Cloud infrastructures (AWS, GCP, Azure), Cloud applications (Salesforce, Servicenow, Workday, Box, etc.), On Prem applications, Systems and networks…
- using most recent IAM standards & norms (for Cloud and company) as well as Cloud Service Providers’ IAM APIs, role groups creation and user/apps accounts creation should match the company business roles and responsibilities. A concrete use case is the automated disabling of a user account on all Clouds at once after the user is disabled in the company internal HR system and/or on-demand with a central «kill switch». This is key as some Cloud providers keep the user sessions open for a long time to facilitate the user experience, even for user’s sessions from personal home devices.
- embrace the fact that customers already have other IAM systems and Cloud Identity Providers. They have already invested a lot in configuring those. Accept the fact that customers can retain and use those previous investments by making your solution interoperable. Build your system into micro services but not closed to your own services. Make it compatible with others and have the possibility of delegating features (or functions) to competitors’ systems. This will benefit you in return because it benefits customers. The IdP (Identity Provider) proxy approach is a great illustration of that. That has several other benefits, too, including resolving the problems posed by old legacy applications not compatible with newer systems and mixing different solutions for their diverse strengths (as long as it does not breach the complexity principle).
About Vasco Gomes
Global CTO for cybersecurity products, senior expert and member of the Scientific Community.
Vasco is a results-oriented Information Security Manager with over 14 years experience in Information Security Management (Operational Security, Risk Management, Audit Management, Regulatory Compliance and Disaster Recovery, Security Governance) and 18 years in IT Outsourcing.A solid Information Technology general education, and a strong experience in Network Engineering and Telecommunications, gave him ground to a broad understanding of most of the IT technical domains and their context. Having participated from the bid proposal through the set up and day to day governance of large IT Outsourcing contracts provided him the ability of balancing the operational constraints versus the acceptable Business Risks.