Security-first
You'll find the Castillo de San Marcos National Monument area in St. Augustine, Florida. This sign depicts its "defense in depth" strategy, designed to make it very difficult for enemies to even reach the fort's formidable stone walls.
Unfortunately, defense in depth has failed us in the cybersecurity world, mainly because networks with day two security are almost impossible to defend (over 99% of cyberattacks exploit our business networks).
In the cybersecurity world, we need defense in depth, but it needs to be "security-first".
Cloud-first, API-first…security-first
The world’s leading innovators are building security-first products, and it will be table stakes by the 2030s:
Cyberattackers love your network?
Most products don’t yet include built-in secure networking.? Instead, IT or OT is expected to securely connect the products via day-two networking bolt-ons.? The results have been disastrous - just about every cyberattack uses the network to exploit its target.?
Security-first software is a cyberattacker’s worst nightmare
Security-first products include built-in secure networking.? These products are secure by design and secure by default.? IT or OT is no longer put in the mission impossible situation of trying to transform default insecure products into secure products.??
VPN = broken
Because the secure by design product includes built-in secure networking, it is no longer dependent on the horrors of VPN, MPLS (Direct Connect, ExpressRoute, etc.), private mobile APN, open firewall ports, etc.??
Soon, if a product requires bolting-on VPNs, or any type of day two bolt-ons, then the product will be considered to be incomplete, broken or unsellable.??
领英推荐
Cut off the oxygen
Your servers and databases are the target – they have the data the cyberattacker wants.? Secure by design products result in these servers being unreachable from the networks (your network is the tool the cyber attackers use against you, and the tool which the cyberattacks depend on – your network is the oxygen of 99% of cyberattacks).??
This unreachable attribute of secure by design products means the attacker can’t get to your data, even if the attacker has the user account (e.g. Snowflake, JPMC), or if the server has a zero day vulnerability (e.g. Microsoft, MOVEit).? Cut off the oxygen (the insecure network) and you have time to deal with these things, because your data is not exposed.? Similarly, your B2B APIs and servers are no longer reachable (e.g. Marriott, LinkedIn), and your third parties don’t get inbound network access (e.g. Home Depot, Equifax).
How many cyberattackers are hanging out in your data center?
Secure by design products assume that there is always malware or zero days lurking in the shadows. Therefore, the server outbound network access is removed, so that any existing malware can’t wake up and exfiltrate data (e.g. UnitedHealth), or ‘phone home’ to its command and control (C2) server (e.g. Solarwinds).
So, rather than breach your data from anywhere on the planet, the attacker needs to walk into your data center, console into your server, and then walk back out with your data (or sprint out without face planting or dropping the hard drives).
Secure by design is simple and transparent
A beautiful feature of this new approach is it is simple to test.? It is a 2-item, yes-no checklist, and both items are easy to answer:
If both answers are “no”, then the product is secure by design, and IT/OT are not being asked to miraculously transform inherently insecure products into secure ones.?
Security-first will arrive in the blink of an eye
The secure by design pioneers will quickly push the model to mainstream - a product will soon be considered incomplete or broken if it isn’t secure by design - if the product does not included built-in secure networking.? I will mention a few of these pioneers below.?
In the blink of an eye, the old model will seem like the pre-Internet, pre-mobile or pre-cloud world, and the security-first model will enable our businesses to advance.
Yousef Khalidi Dominik Münsterer Yogesh Kaushik Michael Fey Rodrigo Bernardinelli Michael Rosenbloom Achim Knebel Jedidiah Bartlett Steve Lindsey Evan Gilman Brad W. Luca Simoncini Wendy Nather Dwayne Bradley Ram Gupta Chad Cravens Sameer Malhotra Tony Scott Frederik Schmidt Dan Amiga Rajani Kolli Peter Sch?nemann Ganesh Srinivasan Greg Shields JOHN WILSON Chenxi Wang, Ph.D. Rajesh Dronamraju Alissa Valentina Knight Wolfgang Schwering Rolando Carrasco Erik Young David Lawrence Bill Fitzpatrick Damir Jaksic Nir Gaist
Digital Transformation Leader | CIO | Driving Change, Strategy & Cyber Security | Board-Level Decision Maker
8 个月Nicely explained, no wonder you guys have a great product!
Amen Galeal Zino! The technologies exist to provide a much more secure infrastructure. Just need more executives and engineers to be aware, to prioritize, and execute!
Great, concise write up Galeal!