How to Build an Effective Security Perimeter

How to Build an Effective Security Perimeter

By Eran Alsheh

Most organizations today have hybrid IT environment – where, on the one hand, there are legacy systems that are on-premises – and on the other hand, some systems and services are in the cloud.  

While medium-sized organizations tend to adopt cloud systems and services faster than enterprises, where complexity is greater and policies are less flexible, we have reached the point where even enterprise organizations tend to be hybrid to some degree. This is the trend – it’s the landscape of the future. 

According to a 2017 Gartner report providing predictions about IT infrastructure services, there is a massive shift toward hybrid infrastructure services. By 2020, Gartner states, 90 percent of organizations will adopt management capabilities for hybrid infrastructure. 

This being the case, we think it’s time to “face the music.” Yes, a hybrid environment brings many new capabilities, and benefits. But it also creates additional security challenges 

These need to be addressed – particularly, in terms of real-time monitoring and incident response. As pointed out in this recent Gartner paper, even the best preventative controls will not prevent all incidents and, therefore, IT risk and security leaders need to shift their efforts away from prevention – and instead focus on the need to detect and respond to malicious behaviors. 

“Cloud” is a Loaded Term 

The term “The Cloud can refer to several different kinds of technology. IaaS (Infrastructure as a Service) means storage, networking firewalls, security, and data centers. PaaS (Platform as a Service) – such as Microsoft Azure, AWS (Amazon Web Services), and GCP (Google Cloud Platform) – includes development tools, database management, and more. And SaaS (Software as a Service) refers to hosted applications. 

All of this activity in the cloud means the task of securing the perimeter of an organization has become more difficult. It is no longer a question of securing “just” systems that are on premises. There are additional microservices and platforms to secure, which – as explained in ITProPortal  are not fully under your control, and the additional complexity and risk needs to be managed. 

Shadow IT Undermines Your Security 

Security becomes further complicated with shadow IT - information-technology systems and solutions used inside organizations without explicit organizational approval. Shadow IT generally does not meet organizational requirements for control, documentation, security, and reliability.  

Many employees don’t realize they are breaking rules by downloading apps or running software services. But – as described by Kayla Matthews at Digital Trends – the downloaded software, if it’s not approved by IT, potentially puts an entire organization at risk because of security flaws. 

Shadow IT raises many questions for a CISO: How do I uncover the shadow IT taking place within my organization? How do I determine policies, and what can I do to enforce them? These questions must be addressed so that an organization is aware of everything happening in the system and can respond when necessary, following the full life cycle of incident management and response.  

Hybrid Means Less Control 

As a case in point, consider an installation of Microsoft’s Office 365.  

Traditionally, in a legacy system, the IT department has an exchange server set up, and ensures that the server is backed up regularly and is protected by an antivirus program.  

When an organization shifts to the NextGen solution of Office 365 SaaS – or to G suite – there’s a lack of control: How to develop visibility, monitoring, control, and response for applications in the cloud? As outlined by ResearchGate, this requires defining new policies, compliance, and governance.  

So Many Screens, So Little Time 

Another issue that comes up in hybrid security operations relates to the number of management consoles. Take a look at Gary Thome’s blog in InfoWorld who correctly points out that, in an enterprise’s highly distributed environment, there is no centralized management view. Each system has its own management console.  

These require additional people  to manage them.  

And the problem goes on and on, since monitoring is required today for an ever-increasing number of IoT devices in the office, at home, and on the move  including computers, phones, and even connected cars.  

Who Can View My PII? 

There’s also the challenge of regulations, which are becoming increasingly stringent as privacy and data ownership become more important to individuals. The regulations limit who can access PII (Personally Identifiable Information) and what an organization is allowed to do with PII. However, once the data is moved to the cloud, it is harder to prove what information is – and is not – being shared. 

Regulations include GDPR (General Data Protection Regulation) in Europe, HIPAA (Health Insurance Portability and Accountability Act), PCI DSS (Payment Card Industry Data Security Standard), SOX (Sarbanes-Oxley Act), federal government regulations in the U.S., and more. (You can read more about regulation and compliance in this TechTarget article.)  

Lack of Cybersecurity Experts 

Finally, there is a shortage of cyber expertise. Because managing hybrid security operations is more complex, it requires a team that covers a very broad range of disciplines who can handle monitoring and response, understand policy, and act as compliance experts.  

The problem is that – as researched by Crowd Research Partners – there’s a shortage of qualified security personnel. According to a recent report by CyberSeek, the problem is intensifying because the demand for cybersecurity professionals is increasing continuously across the United States. (In other regions, the situation is often worse.) For example, in the U.S. there were 301,873 cybersecurity job openings in the private and public sectors between April 2017 and March 2018, including 13,610 public sector openings. 

 

How MSSPs Handle the Unique Complexity of a Hybrid Environment 

The best way to sidestep the security issues involved in managing a hybrid environment is by working with an MSSP (Managed Security Services Provider).  

Outsourcing security processes in a hybrid environment allows an organization to access the cybersecurity expertise it needs, while increasing ROI on its investment in legacy systems and reducing TCO (Total Cost of Ownership).  

As Gartner points out in this 2018 report on managed security services, not all MSSPs are created equal. The MSSP you hire should follow a policy of full transparency between the security operations team and the client, who needs to know what is happening in real time and can collaborate on operations. Furthermore, you will want an MSSP who is available 24/7, has a global presence, and has multilingual capabilities – and who can conduct threat intelligence, check out forums on the darknet, and investigate criminal activity in all parts of the world. 

Leveraging the services of the right MSSP can allow an organization to improve its security posture, while saving the cost of purchasing platforms and performing integrations. An MSSP provides knowledge sharing and high-level expertise in the cyber world, and it connects to all systems within the organization – from on-premises technologies to shadow IT and the cloud. An MSSP also future-proofs an organization, giving it flexibility and the availability to scale. 

With an MSSP, all information sources are consolidated in one place – a single pane of glass – bringing comprehensive visibility and continuous improvement to IaaS, PaaS, SaaS, shadow IT, and on-premises systems. 

 

Want to discuss this further? Please contact us and we’ll set up a call with one of our cybersecurity experts. 

Eran Alsheh
Written by Eran Alsheh
Eran is the chief technology officer and cyber visionary at CyberProof. He has over 18 years of experience in designing and developing cyber security services, intelligence information systems, National CERTS, Cyber Operations Centers (SOCs), and operating Cyber Incident Response, Orchestration & Automation solutions. Prior to CyberProof, Eran was a co-founder at BISEC, a SOC management, orchestration and incident response company that CyberProof acquired in January 2018. Eran has held several senior leadership positions at AGT International, Elbit Systems, and Elron Telesoft.


Share this article