A Security and Privacy Point of View - Updated

The Point of View we espouse is ‘less is more’. Here are some of the tenants of the approach, which may or may not be reflected in the latest industry control frameworks. Remember, compliance is not security which answers the question, “Why did we get breached when we were compliant?” 

Warning: Many of these points may spur debate or be considered disruptive to the way ‘Security’ has been designed, implemented and managed for the last 30 years. If the old way of doing things was working, why would we be gainfully employed, and why is data continually breached – from organizations of all sizes and financial capabilities?

Reduce the attack surface area and create a frictionless user experience, which means.

• Don't data-hoard. Evaluate, classify, and eliminate or encrypt and archive data that is no longer in use or providing business value.
• Understand and protect the value of data and information to your organization. Evaluate, classify, and protect data using rights management (AIP) and/or data encryption (SQL TDE) based on its risk impact to your organization.
• Eliminate the means of perimeter breach, i.e., corporate VPN. The perimeter is all but dead, and every network needs to be treated like a public network at this point (assume breach). No network is impenetrable. Protect the data, not necessarily networks or devices (more on that below).
• Protect devices insofar as to make them less susceptible to ransomware and DDoS attacks which improves resiliency, not data security or privacy. Guess what, you can't. This is to end, reduce the risk of operational disruption and user frustration at the endpoint, but don't waste time trying to patch everything constantly. For heaven's sake, don't use patching as a metric to how well your Security Program is doing. This will only come back to haunt you because as much as you try, you will never be up-to-date. Even if by some miracle, everything in the enterprise is running at the very latest feature and security patch revision, there will be dozens of vulnerabilities in each application, appliance, and operating system that have not been made public yet. Patch management is an exercise in futility. Devices should be treated like throwaway capital assets that rapidly depreciate throughout their lifecycle. If the data is encrypted, it can safely reside anywhere; yes, even on the most malware infected endpoint or an unencrypted storage device like a thumb drive.
• Reduce the application portfolio, which in our experience is usually 2,500 to 3,500 applications per organization distributed across many business units and ‘owners’ with various security and compliance gaps. Can it be effectively argued that an organization needs 2,500 to 3,500 applications to run their business? What did they use to process transactions and keep records prior to client / server computing and local area networks, prior to the mid-1980s? 
• Once the application portfolio is consolidated, move applications and compute workloads to the Cloud where authorized users can gain access from any device, at any time, from any location, using state-of-the-art authentication unencumbered by the enterprise network, for example Cloud-only authentication, directory services and Identity and Access Management.
• Modernize authentication using only Authenticator App Multifactor Authentication; no text or call back. Implement 100% MFA, no exceptions. Seek out behavioral authentication threat intelligence to reduce the risk of the impossible traveler, roles violations, impersonation, etc.
• Make access to applications and data consistent across platforms and devices, reducing user friction and frustration. Be sure to leverage the scale of Cloud response, availability and resiliency across everything you do. 
• Resist the urge to implement single point of failure architecture to provide authentication services on-premises or hairpin network traffic for data inspection. There are too many viable Cloud-based alternatives to this approach. See Azure Active Directory Sync and ZScaler as respective examples.
• The most disruptive statement I'll make here... Eliminate on-premises Active Directory if at all possible and move to Azure Active Directory and Intune for Application and Device Management, respectively. If you need to hold onto on-premises Active Directory for legacy applications / legacy authentication, look at ways of modernizing those dependent applications or ways they can interoperate with Azure Active Directory, using modern authentication via a third-party solution. Better yet, replace the application(s) with a SaaS or other solutions. Why eliminate on-premises Active Directory? Because it is a threat actor's primary target. Once in, he or she wants to maintain access and impersonate users of all types. How best to do this when it is child's play to pass-the-hash to impersonate an Enterprise or Domain Administrator, and take over Active Directory, gaining access to everyone's username and password hash?