Please share your comments; critics make life meaningful!

Saturday, May 23, 2020

Re-imagining the Enterprise Security Risk Paradigm in the cloud and Mitigating them Effectively

Traditional enterprise security built had following main characteristics:
1. It was built around two major asset groups - network, and end-point (servers and desktops/laptops).
2. It aspired for defense in depth which constituted Protection, Detection and Response layers for both of the these asset groups. However, the primary focus was on Protection.
3. Application and data security were considerations met by VA/PT in case of apps and encryption and obfuscation in case of structured data. There were no practical technology options for unstructured data for which strong policies were formulated and left for users to comply with.
4. In addition, SIEM and DLP tools were added as tertiary measures with a detection mindset but they were ridden with very high % of false positives, and required a huge army to monitor meaningfully. SIEM solutions gathered security event information focused on the network layer and correlated them to look for security incidents. DLP solutions sat in-line at the enterprise perimeter as also embedded as an agent on end points to look for string matches in traversing unstructured data files. 
5. IAM was an important aspect but typically not within the ambit of enterprise security and deemed too complex to be left with enterprise architects to figure out. Monolith technological solutions were deployed for IAM which covered minuscule of  enterprise apps because of cost as well as due to extensive implementation and operational effort.

Cloud has turned enterprise security around its head:
1. In the cloud, Identity security is the most important aspect to be got right. It must be multi-layered with protection, detection and response capabilities with focus on protection and detection. It should be simple and easy so that cloud can be practical for the enterprise. It also must be cognizant of the dynamic threat landscape so that identity compromise on one part of the cloud should not be relayed to another or from one cloud to another. It must have built-in behavior analytics to discern any already compromised identities to assure a zero trust operational environment. It must work for all clouds, and the same Identity security capability must also scale to the non-cloud world of the enterprise.
2. Cloud based DLP cannot be an after-the-fact detection solution but must be a wholesome enterprise capability distributed across multiple cloud security solutions and engineered into those solutions while integrating with each other to build a holistic enterprise capability. This enterprise DLP capability must also seamlessly cover the non-cloud world of the enterprise including all information repositories anywhere.
3. Cloud based SIEM must address security monitoring and SecOps for all elements in a specific cloud - IaaS to SaaS, as also cover all clouds. It must also integrate seamlessly with the on-prem security and operational infrastructure.
4. Cloud based End-point security must be multi-layered to address known and unknown threats, and must work for on-prem as well. Such end-point security must always be identity aware and user behavior driven.
5. Cloud based Network Security must scale to cover extended networks across multiple clouds, and further extend to or integrate with on-prem network security. They must also be behavior driven.
6. Integrated threat management across all or most of the above security aspects, and empowered with cutting edge threat intelligence should be built into all the cloud security solutions above.
7. AI and ML must be leveraged wherever possible to handle the high volume and velocity of security event information and threat intelligence in the cloud.   

What does this imply:
To address security in the cloud in an effective manner, the erstwhile approach of putting together a patchwork of heterogeneous solutions cannot work or scale. Enterprise Security solutions in the cloud era:
(a) Should be native to the cloud operational platforms and cloud applications as much as possible.
(b) Must be consolidated on one cloud security platform that can cover all clouds and on-prem.
(c) Must be dynamically threat aware with quality threat intelligence to provide an intelligent, integrated and effective enterprise security suite