It is interesting to me that Cybersecurity conversations with large enterprises almost always start with discussion of known gaps or finding gaps rather then an overarching “Strategy” for a more secure enterprise. We hear strategies like “Design Cybersecurity in”to our products or services, but rarely a discussion of the key strategic principals that need to undergird a more secure enterprise. In a few discussions with large global company executives and board presentations, the demystification of cyber was important to help baseline, organize and gain support for activities. The below is, I hope, a way to think thru some of the key pillars that grow into a robust strategy.
- Who am I?/Who are you? Identity is the new perimeter, and only the “well” known should be allowed to operate. Identity resolution should be both deep and wide and be capable of knowing the broader context of the individual e.g. In the office, in a competitor office or even a foreign company, this contextualized identity becomes key in the authorization calculus in #3 below.
Information & Assets
- What do I have?/What do you want? Information is the primary target for insiders and outsiders in the commercial and government space. If you don’t understand what you have, and it’s relative value, securing against these threats becomes nearly impossible. “You lock your car to prevent the stealing of what is inside more than the car itself”. This becomes even more challenging as information is obscured by the containers… documents, databases, filesystems and becomes hybridized into SaaS, PaaS and other providers.
Policies, Controls and Rules
- What are you authorized to do / What am I allowed to let you do? Now that we know who you are and what information you are asking for, we need to authorize you to read or change (create, update, append, delete). Note that modern enterprises are moving toward CRAQ vs. CRUD [update/delete never, append only]. Authorization is often tied to roles to simplify, but roles are often too coarse grained to be truly effective and rarely reviewed. Further, joining data across multiple data systems can create information that might invalidate the authorization of either source system individually.
Monitoring & Learning
- Are you doing what you are supposed to? What is changing? Monitoring or surveillance becomes critical to understanding appropriate and authorized use. This means both understanding assets and how they are changing, but also patterns of usage. Developing a baseline in an ever changing landscape, recognizing outliers, determining the likelyhood of this being abnormal event is the domain of a more common logging strategy (security, application and infrastructure ops) and continuing to improve the models to match the changes within the environment.
- Can you react quickly, correctly and consistently to threats? Depending on how you have architected your assets, can you isolate, repair, redeploy, recover your critical information systems. Depending on the priority there are well thought thru reaction playbooks, but rarely are they updated and practiced. If your organization has implemented Continuous Delivery (and rollback) aka. “automated build” or “automated recovery” then when times get tough, you’ll be excited to just replay your Standard Operating Procedures. With legacy systems understanding how your resilience / BURA is designed to work and practicing is key. Still, the practice of discussing with a risk committee, organizing a reaction team, understanding reporting requirements, and even practice working in degraded states can help.
The steps outlined are just the start of getting toward a more resilient business, but hopefully this simplifies how I explain, in non-security terms, how firms can use what they do in development, or do in their marketing teams or even do in their finance organizations as natural parallels for some best practices for IT and Cybersecurity.