In the past six months, our entire world has changed drastically, the business world is no exception to that, most of the businesses have to fast forward their digitization plans which were originally designed for five years. They have to execute these plans in just a few months, many employees are working from home for the first time and all this has resulted in increasing cyber-attacks in many folds. Cyber attackers are taking advantage of this rush of digitization escalating cyberattacks and techniques. As a cybersecurity professional there is learning for us from all this …
The way we used to look at cybersecurity in silos, solving one problem at a time, is not going to work anymore.
We need to understand the job of Cybersecurity professionals shouldn’t be to solve problems, so much as to enable businesses to do what they have intended to do. This means what cybersecurity needs is, a new principle to guide it. Those principles should be inspired by a holistic view of cybersecurity rather than the current silos approach.
This is the time to look at cybersecurity from a holistic point of view. Cybersecurity should be an enabler to the business and hence the understanding of core business activities and requirements is the most important. We need to know what are those crown jewels we are protecting and the echo system around these crown jewels. How these jewels are helping business to grow? Is this initiative/project being for expanding the client base by going online or is it giving client customization options before online purchase? This will help us what kind of data will be generated and captured and need for the protection. We need to craft security as per the business criticality of the assets that are generating, capturing, processing the data, and applicable compliance requirements as per the data type. For example, If the business application is capturing the Personal Identifiable Information about individuals who are citizens of European nations that we need to consider the GDPR requirements if the application is capturing payment card details then PCI/DSS compliance is applicable irrespective of where the application is hosted etc. By crafting security as per the protection requirements will help to business by not complicating the client experience by overly protecting or fines due to non-compliance coz of not adding enough security controls.
Let us look at how this holistic view of security looks :
Since security is not only tools and technologies, there are six pillars to the holistic view of security, these pillars are Requirements from the Business Side, Data TouchPoints, Operational Requirements and Users & Security Awareness, Third-Party Risk Assessment, and last but not least Security Governance. Let’s look at each one of these requirements one by one
Business requirements are mainly what kind of data the application is collecting, generating, processing, and storing? Which geolocation the data will be generated, captured, processed, and stored? What are the regulatory requirements associated with the data collected? Type of data, location of data captured/generated, the example of data types are PII, Payment card, Health records, pharmaceutical drug-related data, etc as per the data type the compliance requirements varies example If data is heath record and PII than for health service providers HIPAA is applicable, in addition to health records if you are capturing payment card data than HIPAA plus PCI/DSS applicable, etc. Every country or regions have their own data privacy laws and hence we need to geolocation when capturing the PII data e.g. as we discussed if it is PII data for the European citizen GDPR is applicable but if your application is capturing California resident than CCPA is applicable.
Like countries each organization has its own security policies, these policies are crafted to suit the applicable regulatory requirements and organizational culture. We need to understand these policies before defining technical and process controls as some of the policies may need technical controls and few can be managed by processes or some need both. This will help to select the technical control which suites to deploy these policies.
The understanding, if it is a greenfield requirement or you are going to add a new application to the existing environment will help understand requirements for threat modeling. If threat modeling is done, which are the threats identified? What are the applicable threats as per the threat intelligence feeds related to application and data? If your designing security for the migrating workloads to the cloud than you should capture current identified risk and residual risks, what are the additional risk associated with the new environment? What do vulnerabilities exist in the current environment?
What are the availability requirements is it 24x7x365? What is the business continuity plan, how the disaster recovery will happen, this will be required to align the security design? We also need to align security as per applications Service, operational level requirements, knowing these requirements is important to align security operation.
Data Touch Points
The main objective of cybersecurity is protecting crown jewels and for any digital organization it is data and hence the security should be designed keeping data at the center and securing all data points for the entire data lifecycle, from generation/ capture, processed, stored till archived and purged.
The first data touchpoint is endpoints these can be laptops, desktops, tablets, smartphones which will be used to key in the data i.e. generating/capturing the data or these can be IoT devices, defining security requirements for these endpoints is important. We also need to consider security requirements for the servers or the VMs on which the business applications are hosted which will be processing the data. I am not going in details of the endpoint security requirements that will be the topic for another time.
Likewise, we need to define security requirements for the network, which will be used to transport the data between endpoints to application servers to storage, etc. Examples of requirements can be requirements for transport layer encryption (VPN), Firewalls, content filtering, NIDS/IPS, etc … If SDN is used which are these network security is covered as a part of SDN…
Security for the business applications which will be processing and presenting the data, secure code testing reports and vulnerability testing reports are good inputs the decide what security controls are required, databases which will process and provide the view of data – is database provides native encryption or need additional encryption, etc, storage devices like NAS or SAN or cloud storage like S3 bucket in case of Amazon web services, and last but not list the security for the backup and archival, is the data is encrypted before backup? what is the backup schedule at what interval data is backed-up? when full back-up will be done etc.
Apart from these Data touchpoints security, you will also need centralized security tools like SIEM, VA/PT tools, etc.
Now we have defined and design the security architecture. Managing operations of this architecture is another important task. Understanding and defining the operational requirements will help to provide and maintain the security posture of the data throughout the data lifecycle. Does the organization has Standard Operating processes? If yes are those sufficient for the new security operations? Define when the frequency at which the external and Internal VA/PT needs to be conducted, what is the frequency of internal and external audits as per the applicable regulatory requirements and organizational policies? WE need to define the risk assessment frequency and security controls assessment requirements to verify if the security policies are configured and maintained as per the requirements, are defined processes are followed, if the implemented technical controls are operating effectively and efficiently e.g. is firewall performance has gone down coz too many rules, etc
WE have to define the policy and process document review and updates? When the policies will be reviewed and updated only after a major change or at a defined frequency? what is the definition of a major change? What are the reporting requirements? Need to define definitions of the Priority of incidents as per the business requirements. How the incidents will be reported? How the SLAs and OLAs will be majored and monitored?
Knowing who are the application users, what user roles are required for these users? Who is going to manage the Infrastructure, Applications, and Security? What roles do they need? Who will be creating and managing these users? Which users need multifactor authentication? Is there any requirement for user-level access escalation? Will be managed by application or need a separate solution? How the activities of privileged users will be monitored and managed? Answers for these questions we need to get to understand User management and requirements for Identity and Access Management tools.
Security Awareness Training Program
We need to generate security awareness by training users on organizations’ security policies, compliance requirements for these policies as well as the consequences of not complying with them. The users also need to be trained to identify the symptoms of an attack, they should be able to differentiate between normal e-mail and phishing e-mail, keep their devices used for working on business applications up-to-date with OS and other application patches not to share passwords or any other information. I do not think I have to elaborate on this more we all know the importance of security awareness programs.
The ISO/IEC 27001 standard defines cybersecurity governance as, “The system by which an organization directs and controls security governance, specifies the accountability framework and provides oversight to ensure that risks are adequately mitigated, while management ensures that controls are implemented to mitigate risks.”
Appointed CISO and CISO’s at the table alongside the CIO, COO, CFO, and CEO will able to provide the necessary support to change the perception that Cybersecurity is a technology operations issue. This will help to provide the necessary support for getting security aligned with law, privacy and enterprise risks, and Cyber resilience requirements.
Cybersecurity governance will help in the following three important areas to overall improve cybersecurity :
- To assess the organisation current security maturity state and suggest the road map for improvements
- Security Policies in line with regulatory requirements and aligned with organisation culture
- Take ownership of security awareness program and improve effectiveness of the same
Third-Party Risk Assessment
Businesses are no longer working alone, they have partners, 3rd party vendors, services providers to assist in non-core business activities. This helps organizations to concentrate on core activities at the same time it adds risk, the vulnerabilities in 3rd party can be pathways for attackers to get into the organization network, and hence it is important to perform 3rd party risk assessment before signing the contract and onboarding the 3rd party vendor. You need to risk assess vendor and their products and services to evaluate if they’re appropriate for your organization’s risk appetite, meaning the amount of risk your organization is prepared to take on. Third-party risk assessment is not one-time activities; they need to be revisited regularly. Your critical and high-risk vendors should be reassessed at least annually as part of operational due diligence.
This covers all the six pillars of the holistic security view.
As Sun Tzu put it:
Confirmation of the ground is of the greatest assistance in battle. Therefore, to estimate the enemy situation and to calculate distances and the degree of difficulty of the terrain so as to control victory are virtues of the superior general. He who fights with knowledge of these factors is certain to win; he who does not will surely be defeated.
Understanding core business activities, future business plans, applicable regulatory requirements, and organization-specific policies, the data touchpoints for the entire data lifecycle, operational requirements, and users give the inputs to security architects to design the optimal security required for the organization. This will help to achieve the business objectives, protect the data, and comply with the regulatory requirements without compromising client experience.