Security Newsletter: Edition 2

  • By Michael Coates
  • in
  • on July 18, 2019

A periodic newsletter from me, Michael Coates, on building security programs, security career growth, and emerging trends. If you were forwarded this newsletter, you can sign up here to receive updates.

The “Untrusted” Internal Network – Now What?

For years it has been an “us” vs “them” mindset in security. The bad folks are somewhere in the world – name a current adversarial country or organization – and our company is filled with good people. Therefore, if we build a big barrier around our company we can keep out the bad and everything is good, right?

The “crunchy perimeter & squishy center” security model has come and gone – at least it should be gone. It’s a relic of an old time and has no place in today’s modern enterprise defense. For those of you that may be fortunate to have avoided it, what is this model? Here’s the quick info. The idea was to build a strict and highly regulated perimeter around the company. Firewalls blocked almost all traffic in and out. Any exceptions were strictly reviewed and scrutinized. Laptops either didn’t leave the office at all or maybe had a forced VPN to tunnel all traffic back through the office network. While the perimeter was strong, once inside there was a more relaxed environment of trust. Because, hey, we can trust all of our employees, right? (in general, sure, as a global policy, definitely not)

What happened to this model? My argument isn’t that we should dissolve the perimeter or cast those efforts as worthless. Instead, we must accept that the paradigm has shifted. There is no longer a formal boundary between outside and inside or “us” and “them”. The rise of cloud computing, SaaS applications, continued connectivity to business partners, contract workforces, BYOD and more all mean that the “internal” network is a very busy place with many different people, systems, and notably – many threats.


Two Big Reasons to Ditch the “Strong Perimeter & Squishy Center” Mentality

First, insider attacks are a real concern and not just a theoretical exercise. Insider attacks may be the result of malice or just carelessness, but there is no denying that they are happening. The 2019 Verizon Data Breach Report shows that in some sectors “Privilege Misuse and Error by insider account for 30 percent of breaches”. Multiple articles also show how prominent tech companies have felt the impact of overzealous employees abusing their access to private data.

Second, even if we assume there are no malicious insiders, the “squishy center” mentality means that once inside the network, an adversary has free rein. Taking this one step farther, we’re essentially saying that if an attacker ever finds a vulnerability in the perimeter then the breach is not just a perimeter breach, but likely a massive breach of internal systems and data too!


We agree, the internal network is untrusted. Now what?

Although the internal network may not be trusted, this doesn’t mean we throw out the firewalls and just let it be a free-for-all. Instead, let’s double down on the concept of least privilege, which the perimeter is the first step to broadly eliminate access to the world unless they authenticate via VPN. The next logical step is applying least privilege inside the network. In other words, shift the mentality in all places to enforce strong authentication, access control, and minimal access policies. One way to think about this is that the company network is essentially a coffee house wireless network. No trust is implicitly granted just because a person is in a particular physical location and has internet access. Instead, trust is proved whenever access to systems and data is required.

Here are a few concrete steps to help move a company in this direction

  1. Company Education – Wide company awareness and support is required. Teams building internal systems for sales, data science, developer efficiency etc all must understand that authentication and access control is required – even though the systems are internal only. As a security team you’ll be viewed much more favorably if you also provide pre-vetted libraries to achieve auth’n and auth’z.
  2. Security Architecture & Strategy – It’s time to understand and plan for a migration to a Zero Trust security model. Don’t be overwhelmed by hype here, you don’t need to do a full scale overhaul. But there are many small steps you can take to incorporate Zero Trust concepts into your security posture.
  3. Data First Security Policy – We’ve established that access to an internal network does not imply trust, therefore we must evaluate how trust is established for access to internal data systems. As a security exercise, look at two internal data stores, one within your on prem data center and one within a cloud deployment. Evaluate how you authenticate and authorize services or users that can access the data. For the services, follow the call chain. How do you ensure that the individual initializing the services call is authenticated and authorized for the action. This gets tricky, but it also gets to the core of a data first security policy. Without confidence in these controls you are instead relying on only trusted actors on your internal network – which we know is no longer realistic.

The migration from a long held security approach and belief system may be challenging. You’ll undoubtedly have naysayers and others that believe this work is paranoid and unwarranted. In all areas of security it’s critical to return to fundamental risk modeling practices. If your company is moving forward to adopt new technology architectures and business relationships, then your threat model is evolving too. Through your risk management you either accept the new risk, hold back the business by denying technologies or update mitigating controls to safely enable the business. The only thing I hope you don’t do is cling to old truths that no longer hold – unless verified by your fresh risk evaluation specific to your company’s profile, risk model and controls.

Michael
Want to chat? Find me @_mwc

Leave a Reply

PUBLISHED BY Michael Coates

View all posts by Michael Coates

Related Posts

#MillenniumLive , Podcast

Listen to #MillenniumLive on Amazon Music!

2021 has been a year of milestones for our #MillenniumLive podcast – we released on Spotify, recorded our 100th episode, and we were joined by some of the most influential guests to date. Now we’re thrilled to announce that #MillenniumLive is available for listening on Amazon Music! Haven’t listened to our podcast before? Here’s the […]

#MillenniumLive , CIO , Data , Podcast

#MillenniumLive Episode: Getting Started on your Data Journey with Joe DosSantos from Qlik

This week #MillenniumLive welcomes back Joe DosSantos, the Chief Data & Analytics Officer at Qlik. Joe gives some insight on offensive vs defensive data strategies, the importance of data accessibility, and provides tips on starting your analytics journey. He emphasizes the importance of understanding what your data is, tagging it, organizing it, and making it […]

Healthcare

Experiential Retail: A Post Pandemic Guide

Contributed by our partners at AnyRoad Brick-and-mortar retailers saw significant reductions in foot traffic last year while e-commerce sales peaked in Q4 2020, but a natural balance is slowly returning as the pandemic subsides and competition among retailers is tougher than ever. As things open up, some brands (such as Home Depot, Williams Sonoma, etc.) […]

CISO

Transformational CISO Leader, Rinki Sethi, Keynotes Our November Assembly!

On November 8th, The Millennium Alliance Transformational CISO Assembly kicks off with a keynote address from Rinki Sethi, current Chief Information Security Officer (CISO) at Twitter. Rinki is an award-winning leader and executive with experience leading and developing innovative online security infrastructure for Fortune 500 companies like IBM, PG&E, Walmart.com, and eBay. She is recognized […]

Lovin’ Digital Diary?

Premium content to our readers interested in all things business.

Check Us Out!

Millennium Membership offers Fortune 1000 C-Level executives, leading public sector/government officials, and thought leaders across a variety of disciplines unique and exclusive opportunities to meet their peers, understand industry developments, and receive introductions to new technology and service advancements to help grow their career and overall company value.

About Millenium Alliance Next

About Digital Diary

Created to provide premium content to our readers interested in all things business.

Launched in 2017, Digital Diary was created to provide premium content to our readers interested in all things business. With our blogs catered to deliver the top news stories, trends, and interviews from across all industries.

Read all story Next

Millennium Alliance Membership

Learn More Next

What does it mean to be a Millennium Member? In the midst of the constant disruption across all industries, our members are given the tools they need to digitally transform their organizations and become the best leaders they can be. Millennium Members are provided the exclusive opportunity to attend our 40+ intimate in person and virtual Assemblies, take part in industry-leading Executive Education sessions conducted by the nation’s leading academic institutions, business leaders, and technology providers and receive industry leading content through our Digital Diary Platform as well as the rapidly growing #MillenniumLive Podcast Series.