Over the past couple years, we’ve all heard of varying degrees of cyber-attacks being carried out on political campaigns, cities and towns, hospitals, and – perhaps not surprisingly – financial institutions. What I find the most interesting about these incidents is two-fold: that organizations are still leveraging traditional or outdated cybersecurity approaches in an era where cyberattacks have become so incredibly complex, and also how people, organizations, and governments respond and learn from them. I believe the former can be addressed much more quickly than we all think, but the latter unfortunately seems to be lagging behind.
Don’t blame the cloud
Several organizations in the financial world have made – or are starting to make – the transition to the cloud in some way shape or form. And when you hear about high-profile breaches in the industry there are very legitimate and valid reasons to be concerned about taking this step if you’re a key decision-maker. But this hasn’t stopped financial institutions from embracing public clouddue to increased reliability, scalability, and yes, even enhanced cybersecurity.
And just to be clear about public cloud offerings, they’ve matured and evolved at a rapid pace over recent years, which is why larger enterprises are getting on board. Many companies now find it easierto meet cybersecurity needs and adhere to compliance than in their own data centers, i.e. a private cloud environment, so while a lot of the attention is on “using the public cloud” as the culprit, it’s much more complexthan that.
We need a completely different approach (hello, Zero Trust)
The realissue here, in my opinion, is that no organization, company, business, or government is ever truly safe or able to prevent a breach – the problem lies with our (dated) approach and mentality. We need to adopt an assume breach mentality, which essentially takes our traditional understanding of cybersecurity and flips it on its head: you must assume that you will be breached, because it’s a when, not an if. When you start from a worst-case scenario and work your way back, you’re better suited to address it when it does eventually happen.
The bottom line is that you can’t rely on status quo cybersecurity measures within your network. Firewalls are no longer a viable answer to defense, especially in the cloud, as perimeter-based networks operate on the assumptionthat all systems and users in a network can be trusted. This is what the industry refers to as Zero Trust– it’s a concept that’s centered on the belief that nothing inside or outsideof your network perimeters should – or can – be trusted.
While you may not always be able to stop an attacker from getting in, you mustmake it incredibly hard for them to move around once they do. By doing so, they won’t even have a chance at compromising high-value assets (e.g. SSNs, DOBs, IP etc.).
Decoupling security segmentation from the network
Software-defined networking (SDN) has been all the rage these days and while it does solve a lot of network problems, security isn’t one of them. SDN has limitations in that it is tethered to the infrastructure and is designed for reliable packet delivery – not for enforcing the security of what shouldand should notbe allowed between two points on the network.
Data and applications need to be secured where they live and in order to do that, security needs to be decoupled from the network and access must move from implicit allow to default deny. By decoupling enforcement from the actual network infrastructure, fine-grained policy is achieved within the compute without requiring access to anything except the workload itself – something that is available across all cloud providers.
Because the decoupling approach is completely agnostic to where an organization runs its applications – bare metal servers, virtual machines, or containers in an on-premise data center or in any public cloud – this presents one micro-segmentation solution that works for all active applications regardless of where they are running.
We must learn from the past and move quickly
If organizations continue to focus on outdated cybersecurity methods, approaches, and policies, these types of attacks will undoubtedly happen again. And with cyberattacks on the financial industry happening 300 times more frequentlythan other industries, I truly believe that Zero Trust is the only way forward. Along with decoupling security segmentation from the network, I’d wager that financial institutions – as well as enterprises of all kinds – would see a dramatic decrease not necessarily in the amountof attacks taking place, but a significant reduction in the damage and clean up that needs to be made.
About The Author
Andrew Rubin is CEO and founder of Illumio, where he is responsible for the overall strategy, vision, and funding of the company. With expertise in the areas of network security and compliance management, Andrew is a frequent participant in panels, articles, and podcasts for leading industry events and publications. Goldman Sachs has named Andrew as one of the “100 Most Intriguing Entrepreneurs” in 2015, 2016, and 2017 as part of the Builders & Innovators program.
Prior to Illumio, Andrew was president of Cymtec and led Business Development for VoiceNet, where he was responsible for sales strategy, business development activities, and customer relationship management. Andrew graduated from Washington University in St. Louis with a BSBA in Finance.
Connect with him on LinkedIn.