Fixing IT's broken trust model will take center stage in 2017
Adam Boone
CMO | Sequoia, Greylock, Bessemer startups with successful exits | Best-in-Class Go-to-Market Strategy, Demand Generation, Branding, Product Management
In the waning days of 2016, we looked back on another year of the data breach pandemic engulfing enterprises and governments worldwide.
Breach after breach hit organizations in all industries and sectors. Mammoth thefts of personal data, hacked financial systems, and compromised communications cost us billions and allegedly shaped the outcome of the US presidential election.
Will 2017 see more of the same?
Or will it be the year that finally changes our approach to cybersecurity?
Here are some predictions of what 2017 will have in store for IT security.
The Single User Steppingstone
Last week the US Department of Homeland Security and the Federal Bureau of Investigation released a report outlining the attack vectors believed to be used by Russia-backed attackers to compromise a US political party.
While more evidence and details are to be released in coming weeks, the attack vector described in the report comes as no surprise to anyone in the security industry. A single user was compromised through a phishing attack. Then attackers moved laterally from system to system to harvest sensitive data.
This vector, with slight variations, has featured prominently in virtually every major data breach for the past five years.
This vulnerability is so widely exploited because most security architectures are based on a badly outmoded Trust Model. The broken Trust Model assumes implicit trust in certain networks or systems but not others based on whether you own or control the network or system.
We predict in 2017 security architects will launch major redesigns to implement modern approaches to access control that recognize no network or user can be implicitly trusted. This hopefully will go a long way toward blocking the single compromised user attack vector.
Cybersecurity in the C-Suite & Board Level
The need to rethink security designs will become even more urgent in 2017 as enterprises around the world grapple with increasingly stringent regulations around cybersecurity.
The most prominent of these is the European Union’s General Data Protection Regulation (GDPR). The GDPR is a mandate that companies handling an EU citizen’s personal data must take effective measures to protect it or face stiff fines. Going into effect in 2018, the GDPR will drive companies that want to do business in the EU to modernize their security controls in 2017.
The days of subpar investment in cybersecurity controls and protections are over. Strong regulatory mandates now mean that cybersecurity topics have increased visibility in the board room.
We expect cybersecurity reboot projects and these compliance mandates to become dominant features in the risk management plans in organizations across all sectors in 2017.
The Age of ‘Zero Trust’ Dawns
It has been talked about for many years, but the concept of a “Zero Trust” security strategy will finally hit the mainstream in 2017.
Increased risk, financial impact, penalties and awareness will lead enterprise security architects to abandon the obsolete notion that any network or system can be implicitly trusted.
Forrester Research has long advocated this approach, based on its analysis of the fundamental flaws in infrastructure-based Trust Models.
Google has likewise advised enterprises to adopt Zero Trust security. In the wake of devastating breaches in federal agencies, the US Federal Government is also going Zero Trust.
The challenge with any new approach to IT is how to get started. Many of our customers have embraced the new Zero Trust strategy using our solutions that allow you to adopt Zero Trust without affecting your current infrastructure or applications.
We expect 2017 will see many more examples of how Zero Trust is taking hold. For companies and governments that are serious about reducing data breach risk, it is a question of when – not if – they will adopt Zero Trust.
Cloud Security Sales Specialist at Proofpoint
8 年Nice article Adam, and I agree it is an answer to the largest security issues. I just think to say it will happen in 2017 is a stretch. Look how long it takes for two factor, encryption at rest, and true vulnerability management. The executive levels have to take these seriously. Now will it be the year that the vendors jump on the zero trust and start producing solutions? Hope so! But at the same time lest hope the SSO desires for simpliciy don't nullify it.
Cyber Defence and Information Assurance at Cranfield University
8 年Great article and something I have been looking at is this > https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/ The new EU GDPR coming into force in May 2018 - A long way off, not so sure - but if we start implementing some of these now, you will be on your way to meeting these new guidelines / rules and also you may be slightly more protected than you are now. This is something, I am going to look as I find it interesting that an IP Address is classed as personal data - what would be an interesting point is what happens if it is a NATed IP Address, who owns that ... ? This is something to look at and consider in the short term, but don't just read, act on what you read.