Time for a New Approach to Enterprise Security
By Sunil N Kurkure and David R Mueller
As businesses accelerate digital transformation and cloud migration, a new security architecture is required to enable the distributed enterprise to manage, deploy and extend security where it is needed as well as to address increasing regulations and compliance requirements.
The evolving security models fall short of meeting the challenges faced by the modern enterprise because they focus on securing a highly centralized IT system with endpoints, firewalls and data centers, and cannot keep pace with scale, unfamiliar threat surfaces, changing workflows and modern application development.
Therefore, enterprises need an architecture that secures a dynamic, distributed and evolving environment that spans remote workers, applications, devices and hybrid cloud-based services and infrastructure.
Recently, we convened industry leading CISOs at our ninth annual Intel Capital CISO Summit to discuss and validate their approaches to modern security architecture. In particular, we heard unmet needs in four distinct areas: identity, developer workflow, APIs and software supply chain.
To quote one of the CISOs, “identity and access management (IAM) is the lynchpin of every security program.” But with historically high volumes of digital identities, IT security leaders are struggling to keep up with identity management and security, putting enterprises at risk. And while CISOs agree that taming the “identity sprawl” is essential to building a modern enterprise security architecture, they caution that we must first ace the basics by mastering identification.
Identities have expanded beyond people, with IoT, OT and IoMT devices as well as data itself now having identities. Exacerbated by the multiple types of assets and complexity, one CISO admitted, “I don't even know what an asset is anymore.” We believe smart, modern identity solutions are needed to deliver a frictionless and secure experience for every user, asset and data interaction. It should provide access rights and single sign-on from any device, enhance security with multifactor authentication, protect privileged accounts, and more.
Developers have long faced pressure to quickly build and release code, but modern developers now face a second and sometimes competing priority, which is the security of their code, a responsibility previously owned by security teams. So with developers juggling speed and security, it begs the question, what is being prioritized?
The answer is both: speed and security. However, developers prioritize speed by selecting lower visibility and lower friction security solutions in order to bring their products and services to market quickly. The developers dislike the security functions because they limit their creativity and often force the use of tool sets and processes.
The key challenge, one security leader explained, is extending beyond modern security technologies to people, “having security champions across teams - embedding security into the way you build software.” Because while CISOs fully support this concept of “shift left,” building secure code directly into applications, it is not as popular among developers, who one CISO estimated would need to spend at least 30% of their time on security in order to do it correctly.
APIs are the new glue within and between enterprises, serving as a portal through which all data flows across distributed workforces. The problem? API security proficiency is low among IT security teams, with few closely tracking what types of datasets are being transferred across APIs, opening the door to API related data breaches, which Gartner predicts will be the most-frequent attack vector in 2022.
Where to start? One CISO said, “APIs were designed to enable digital transformation, but today, developers are creating APIs at rapid speed without proper governance.” Another CISO added, “we need proper IAM tools to authenticate and provide access controls for and between APIs.”
Software Supply Chain
Increased adoption of open-source software across enterprises, among other factors such as continuous integration (CI) and continuous deployment (CD), has weakened software supply chain defense against bad actors, who are well versed in attacking open-source code; deemed a "key national security concern” by White House National Security Advisor Jake Sullivan. But with reliance on the rise, it is clear that open-source software is here to stay, requiring enterprises to remain vigilant.
At the individual IT security team level, this means dismantling the notion that “open” means transparent or trustworthy. In the software supply chain, it means exposed and vulnerable. But what does this look like in practice? One CISO said, “security leaders are upping the rigor of vendor reviews and avoiding tools with vulnerabilities.” But the question remains, with software continuously being updated, is the frequency of these reviews enough to keep enterprises safe?
The Road Ahead
Technology is just one piece of the puzzle. CISOs must also consider processes and people to build a modern security architecture that enables the business, empowers security operations and adapts to an unpredictable threat landscape.
By obtaining early stakeholder buy-in, identifying and automating modern solutions and building a collaborative CISO community through which pertinent threat intel is shared regularly, CISOs will be better positioned to deploy holistic cybersecurity programs that arm enterprises against attacks.