E R T N
P
X
E INIO
OP
connections which traverse many
geographies – and regulatory mandates.
And everything has gone digital,
proliferating technology and systems
that produce and manage data. In this
environment, complexity has become the
number-one issue facing the CISO.
Because of the scale and complexity
of networks today, gaining visibility
to understand and secure these
infrastructures has become a bigger
challenge now more than ever.
Organisations struggle to answer what
should be a simple question: what is it
I’m trying to protect and how well is it
being protected?
But if you can’t see it, you can’t tell if
it’s secure. This lack of visibility makes
security the department of ‘no we can’t’
because they can’t picture their security
status as it is now, let alone how it will
look throughout an innovation project.
To be the department of ‘yes we can’
security needs to start with visibility.
Fundamental visibility
Answering the first portion of the above
question is difficult: What is it I’m trying
Historically, the
dichotomy between
security and
innovation has
meant that if you
want to move fast,
you could get hurt;
if you want to be
secure, you’ll hardly
move at all.
42
to protect? You have to be able to
establish and maintain a record of all the
assets where data resides – whether its
intellectual property, personal identifying
information, financial records, email, etc.
These assets should be categorised
with appropriate business attributes and
updated as the organisation changes.
Creating an accurate asset record
becomes a major challenge for assets in
the cloud, as virtual machines are spun
up and down even on an hourly basis.
Also, for critical infrastructure and
manufacturing organisations who
have operational technology (OT)
networks, the scale of OT devices can
dwarf that of IT assets even in major
enterprises or government agencies.
In order to maintain an accurate and
complete asset record, data collection
has to be automated.
Answering the second portion of
the question – how well is it being
protected? – is even harder because it
requires insight into the assets as well
as contextual understanding of their
relationship to security controls and
network paths.
For example, in order to understand
the risk to any assets holding customer
credit card information, you’d need
to know which assets pertain to this
data, their vulnerabilities, the threats
leveraging those vulnerabilities and the
security controls affecting those assets’
exposure to threats.
Exposure is the critical element of security
status that is impossible to understand
without insight into the relationship
between the assets and network
infrastructure. It becomes especially
important during times of change –
such as cloud migrations, mergers and
acquisitions – as attackers routinely use
times of chaos as opportunities to slip
behind defences unnoticed.
To look at another example where
exposure is an important consideration,
let’s look at a change to a firewall rule.
These changes are made every day in
an organisation to refine access and
enable new services.
To make sure a proposed change is
secure, you have to know which firewalls
are relevant to the change; if the change
adheres to rule, access and configuration
compliance policies; and if the change
would open up a network path to a
vulnerable asset. If a change to a firewall
is going to create a risky exposure, it
undermines the purpose of the firewall
as a security control. So, does your
organisation have the visibility it needs
to enable secure innovation? Below is a
good checklist to gauge where you are:
• Do I have a record of all my assets?
• If an asset is compromised, do I know
the potential impact to my business?
Issue 16
|
www.intelligentciso.com