Long live the 'secure breach' era
Breach prevention is dead.
By Tsion Gonen, chief strategy officer, SafeNet | Network World US | Published: 17:13, 30 October 2012
Every defense paradigm has a finite life span and the IT industry's breach prevention paradigm, which is based on perimeter technology designed to keep the bad guys out, is completely out of step with today's threat landscape. It's time to move on to a new era: the "secure breach" era.
Think of this in terms of military defenses. Body armour, once the firewall of combat capable of defending against rocks and arrows, quickly became obsolete with the introduction of simple firearms. In World War II, aircraft carriers made battleships obsolete and today, stealth technology is making conventional radar obsolete. Offensive weapons are developed and perfected with the sole purpose of defeating the status quo defense.
Breach prevention has been the status quo for years, and it is as helpless against today's new threats as armor was against firearms. People, however, are resistant to change. It is frightening to abandon the ways we've always done things, even when moving on is obviously the right thing to do.
Related Articles on Techworld
To revisit the military metaphors, World War I clearly showed that machine guns, artillery and barbed wire made cavalry charges obsolete. And yet, every major military in the world maintained cavalry units through the beginning of World War II. Unfortunately, this stubborn adherence to the status quo always leads to carnage. Today's IT security carnage is playing out in newspaper headlines in the form of data breach reports.
So, how do we change the status quo and usher in the secure breach era, an approach to security that keeps valuable assets secure even when hostile intruders have penetrated the perimeter? Here's a four step program:
* Introspection: First, examine why we are not winning the war against hackers, cybercriminals, etc. Why are we not winning? Because we stubbornly adhere to Einstein's definition of insanity: doing the same thing over and over again and expecting a different outcome. In this case, that same thing is responding to breaches by investing disproportionate sums of money in perimeter defenses in a futile attempt to prevent breaches.
The industry needs to stop living in the past. It needs to try something new. It needs a heavy dose of introspection so it can adopt a new mindset: the "secure breach." Let's dig deeper into the remaining steps to changing the status quo:
* Acceptance. Stop pretending you can prevent a perimeter breach. Accept that it will happen and build your security strategy accordingly. We need to admit that we, as an industry, have a problem. Start by asking yourself if your security philosophy has changed much in the last 10 years. It almost certainly has not. You're likely to be spending 90% of your security budget the same way you did back in 2002, which undoubtedly focuses on perimeter and network defenses.
It is difficult to name an IT industry that has stayed the same as long as ours has. It's as if we've had blinders on, telling ourselves to stick to breach prevention. But that mindset isn't advancing organizations. Take a look at other sectors within the IT industry and you'll see huge change in the last five to 10 years because we didn't have a choice. The way people demand, use and share data is nothing like 2002 and today the problem and the solution just don't match up. It's no longer just about the network or our PCs. It's about the actual data.
Now, that isn't to suggest that organizations should stop investing in key breach prevention tools or do away with layered security. What we need to do is place our bets on strategies that protect our most valuable assets. Just like the military, IT should always presume to be functioning in a compromised state.
* Understanding: The third step is knowing who your enemies are and what they're after. Today's threat is not from kids looking to prove they are smart enough to deface a website. Modern adversaries are sophisticated, international organisations whose business is to defeat your defenses. They might be organised crime syndicates, nation-states or hactivists.
No matter who they are, they have the skill, financial backing and motivation to defeat your defenses. You don't protect yourself against these kinds of sophisticated organizations by building a bigger wall around your house -- they will simply build a bigger ladder. You protect yourself by making it so difficult to access what they crave -- which is always your data -- that they give up and move on to someone else. In business terms, you create a very poor return on their investment in trying to steal your data.
How do you do this? First, you put yourself in the mindset of your adversary and understand what they want to steal from you. From there, you'll quickly realise that protection must be moved closer to what really matters - the data itself. Obviously, this means data encryption.
Encryption is an ROI killer for any would-be attacker. By attaching the protection to the data, you're killing the value of the data once a breach has taken place, and you've made the breach largely benign since no data has truly been compromised.
Zappos, the online shoe and clothing retailer, is a perfect example of how this secure-breach approach can be a game changer in the fight against data compromise. Zappos announced an attacker was able to penetrate its perimeter defenses and gain access to data such as customer names, email addresses and shipping information, but due to encryption that scrambled passwords and credit card numbers, the attackers got virtually nothing of value from the theft.
Ironically, publicity around this secure breach could very well make Zappos more secure moving forward, since potential attackers will know the company represents a poor investment of their time and effort.
* Action: Encryption is the key enabling technology for implementing a secure breach strategy. Encrypting data is tantamount to killing the data the moment it falls into the wrong hands. But encryption on a massive scale is not simple -- particularly in the area of key management. And it can go very, very wrong if not done correctly.
In fact, bad encryption can be more dangerous than the theft of unencrypted data, because it can prevent enterprises from being able to access their data when they need it. The key is to encrypt, but verify that you have control of the keys, and can maintain control as key management requirements scale. Many enterprises today are doing this by adopting best-in-class key management technologies and processes, and in doing so they are able to efficiently use encryption on a massive scale.
Encryption also facilitates the adoption of new technologies, such as virtualisation and cloud. By encrypting data, enterprises can maintain control over the data no matter where it resides, even if it is stored on someone else's cloud platform. Encryption allows true ownership of the data to be retained by its proper holder, which both ensures security and facilitates compliance.
It may be difficult to accept you have been breached and that you will be breached. It's difficult because in the traditional breach-prevention mindset, this is like admitting defeat. If you move to a secure breach mindset, however, it is not defeat at all. Defeat is only when an attacker successfully makes off with usable data.
Once you adopt this mindset you understand that not all breaches are alike -- some are secure, and some are not. CEOs, CFOs and CSOs should no longer turn a blind eye to the simple fact that breaches are happening and they are not going away. They should lead the transition away from the status quo and to a new era where security of the data is security itself. This is the era of the secure breach.
SafeNet Inc. is one of the largest information security companies in the world, and is trusted to protect the most sensitive data for market-leading organisations around the globe. SafeNet's data-centric approach focuses on the protection of high value information throughout its life cycle, from the data center to the cloud.