The COVID-19 pandemic has brought all sorts of societal changes, including emerging needs to think about security differently, as HackerOne CEO Marten Mickos recently said in an interview. But even before the coronavirus outbreak, there was a need to reconsider traditional approaches to security. Over the past few years we’ve started hearing more about the concept of “Zero Trust,” a concept that saw early activity within Google in response to a nation-state breach of its cloud a decade ago, causing it to realize moats and walls were no longer effective protection.
Manav Mital, CEO and founder of Cyral, a cybersecurity startup that focuses on data-layer security, walked me through the new normal of highly distributed corporate security. In such a world, the importance of data-centric security becomes paramount.
Among the changes that COVID-19 is forcing on us is an unprecedented migration away from offices. Employees around the world are packing up laptops and working from home (“WFH”). This shift has serious implications for cybersecurity of which we all should be aware. However, while the current environment has made the need for distributed security obvious, that need has long been with us. It has always been the case that employees have been taking work home with them; the only difference now is the obvious, concerted scale of it all.
One of the challenges inherent in securing the distributed workforce is that some of us simply weren’t designed to work from home. Robbed of the structure of going into an office every day, our cadence and productivity falter. According to Mital, many companies’ computer systems are the same; they simply were not designed to manage a large remote workforce.
SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium)
Nor is it a problem with any particular corporate network. As Mital pointed out, “Never before in its short history has the internet handled so much such traffic with hundreds of millions of workers now logging into their companies from home.” Indeed, few virtual private networks (VPNs)–the software that allows remote workers to tunnel into their company’s internal systems–were built to handle the kind of load now being placed upon them.
The result is an explosion of new vulnerabilities that companies may not be prepared to withstand.
What happens when the enemy is us?
Cybersecurity began as an effort to wall off companies from the outside world, protecting trade secrets, customer data, and other sensitive information from unauthorized people. Since then, the world has grown far more complicated. Data has become increasingly important even as it has been moved to the “cloud,” and accessed through the internet.
No longer do just employees need access to that data–customers do, too. And no longer do just people need access to that data–other computer systems do, too. Corporate computer systems are no longer isolated forts, they are interconnected hives with information passing back and forth in myriad ways.
The result has been a steady increase in ways for criminals to get that data, and a steady drumbeat of increasingly spectacular breaches, with criminals stealing everything from credit card and social security numbers to the blueprints for nuclear power plants. With virtual private networks that were built to handle modest numbers of workers now facing hordes, the threat vectors are proliferating.
So what can be done?
Fixing what’s broken
The first step, said Mital, is to immediately patch the multiple vulnerabilities in VPN software that have been identified in the past year. VPN infrastructure should also be scaled to meet the demands of the surging remote workforce. If not sufficiently scaled, he continued, employees will be less likely to use VPNs and turn to insecure workarounds instead. Companies need to enforce strong authentication procedures, including multi-factor authentication. Firewall and full disk encryption policies should be in place and reviewed to ensure they are working properly.
As mentioned, such approaches have been important for years, though they haven’t necessarily gotten the priority they deserved.
But even more important, said Mital, companies and governments need to adopt zero-trust computing: Assume that everyone is a threat and rather than worrying about the castle gates, focus on protecting the crown jewels–the data–instead. Cybersecurity is complicated; there are many layers starting with people and devices up to the data itself. Despite the central importance of the data, Mital pointed out, few corporations employ data-layer security. That’s in part because legacy protections were built further away–at the castle gates, so to speak–at a time when the world wasn’t as data-focused as it is today. It’s in part because previous data-layer protections just slowed things down.
SEE: VPN usage policy (TechRepublic Premium)
But there are innovative data privacy and data encryption tools coming out of research institutes, including homomorphic encryption, which is strong enough to resist even the looming code-breaking power of quantum computers. The pattern-recognizing power of artificial intelligence can be harnessed to spot suspicious behavior when it starts. New automated data-layer security watches all activity touching data that can shut down behavior that does not fit normal patterns–even if bad actors have infiltrated through vulnerable VPNs.
“Corporations just need to upgrade to data-layer protection,” Mital insisted.
COVID-19 is making the issue more critical, but corporations are notoriously slow to act. Until consumers demand that companies adopt these solutions, they will continue to be vulnerable to criminals stealing social security numbers, credit card numbers, passwords, and more.
Disclosure: I work for AWS, but nothing herein relates to my work there.