Cyber Security: Dancing with Wolves
Independent consultant Gerd Simon offers advice for companies on improving IT security and undertaking an effective risk assessment for cyber security.
We all want to use full and secure digital infrastructures, because this is the foundation for the sustainability and the growth of our digital economy. We all want security for business and our private lives. But we don’t really do the work required, right? We hear news, but we don’t seem to be listening:
- 59% of people tend to use the same password everywhere (source: Lastpass, 2019)
- 77% of all organizations are still operating with only limited cyber security (source: Test Army, 2019)
- 81% of hacking-related breaches leveraged either stolen or weak passwords (source: Verizon Data Breach Report, 2017 and 2019)
What are the consequences? It seems that cyber security is not really enforced. What are we waiting for here? There is no-one who can enforce this globally; no entity, no government. The Internet comprises thousands of networks. Some of them are new and growing fast, while industry-specific ones are even growing faster. Whether we believe it or not, we are again right at the beginning of a new era – in which, again, growth is being fueled by massive data exchange, and we are moving further and further away from a static usage behavior, towards a very mobile and dynamic relationship with our data.
Our complex relationship to our data
Let me start by saying that we still look at data as having a “home” – and we want to know where our data is. But tomorrow, the data will want to know where we are, as we move through smart, digitalized landscapes and along connected, intelligent highways, using 5G and other technologies to come. So there is a quiet, but important paradigm shift happening. It's no longer about the usage of a generalized telecom infrastructure per se. Our Internet use and our digital behavior will require purpose and an accepted level of security, end-to-end.
The very strong development occurring in the automotive industry with connected cars is one clear driver of this change. But it is also being propelled by numerous other developments, in sectors such as fintech and energy, but also by the rollout of 5G, the use of 3D printing, the growth in artificial intelligence, augmented reality and the content wars, blockchain, crypto mining, healthcare – the list goes on. These are areas where a lot of special technologies will emerge as industry-specific infrastructures.
What needs to be done in order to create a safe way forward?
First of all, audit and pen-test your ICT operations. You may start with testing the policy compliance, including but not limited to GDPR, server access, file access, and VPNs, and then moving to middleware-hand-offs, analyzing the traffic flow from and to cloud environments and then configurations (e.g. devices, services, and servers) as well as metadata. The aim is to build a zero-trust environment, so you can trust when it works.
Things to consider are:
- Implementing the standards of “Computer Security 101”
Enforcing the rules for basic Internet safety (including, but not limited to SPAM, SSL, mail spoofing, etc.) - Strengthening the resistance to social engineering (e.g. admin never asks for the user’s credentials)
- Risk assessment on middleware software that determines the security levels by default
- Using DevOps to enforce security measures
- Technical special forces that are allowed to put the existing digital infrastructures under pressure
The paradigm shift in handling data – where does my data come from?
An example to showcase the impact of current software developments: let’s talk about Spotify. Once you start the application, a virtual container will be created especially for you. With such a container, you get all the music streams, the pictures, and the song text. In order to get all of that, many micro services feed your virtual container, using different content sources, libraries, and frameworks. The result is your user experience, wherever you are. But these sources sit in various data centers – goodness knows where – using different interconnection systems to get onto your mobile phone. However, you don't know where this data will come from, because these data centers are most probably not the ones where your mobile phone provider is located. So you have an abundance of different data centers to be interconnected, and that needs to be handled across a wide geographical area. But once you close Spotify, the virtual container will be thrown away. As simple as that.
Why is this example important, in the context of cyber security? First of all, because it highlights the new style of infrastructure usage: it is purpose built and at the same time dynamic, and makes use of micro services. Second, we work with a wide range of cloud computing applications, enterprise applications, collaboration tools, mobile computing, customer applications, social media, and analytics that are using the same methodologies, libraries, and frameworks. Software development does not deliver a monolithic coding environment. It is rather a dynamic – hence structured – environment of microservices, frameworks, and libraries. And in some regards, these platforms work together. But again, they're not sitting at the same data center and there's no one single data center on this planet that combines all of them. So, the big challenge is how to create a secure flow of data while using different data centers and different providers, as you don’t know how your traffic is flowing. This is the thinking behind my statement that, tomorrow, the data will want to know where you are, rather than the other way around. Am I the only one thinking about this paradigm shift?
IT workloads are moving off-premise
Jabez Tan from Structure Research recently published a report titled “Global Data Centre Colocation: Hyperscale, Interconnection Drivers,” in which he made very interesting observations. He asked CIO and business owners about the market changes, which will impact the way we will work tomorrow, because money talks. Today, almost 8 of 10 IT workloads are located on premises, with a smaller portion in hyperscalers, colocation, and in hybrid/private ISP cloud environments. However, in a few years from now, by 2024, the picture will have changed completely. 60 percent of IT workloads will be computed in hyperscaler environments (due to private equity and venture capital structures globally forcing the delivery of positive cashflow and cash reserves). The shift he is predicting is a big one, although it will vary continent by continent. What you can already see today is that about 25 percent of all IT budgets from enterprises are going into the cloud, and the trend is growing.
Cyber security, laws, and liability
The challenge with a security policy implementation is that it is a lonely child, not well-loved. However, not having enough knowledge does not protect you from being liable; never, nowhere. We all think if we stick to the laws and norms, that will suffice. But it’s not simply about following the rules – we know that this neither helps us to reduce our risk exposure nor helps us to recover. Whatever we do – even if we do everything right – we need still to be able to prove that we did it. Otherwise, no insurance claim you make for damage from cyber crime is likely to be approved.
If we take German legislation as an example; the new IT Security Act came into effect in 2017. Based on this piece of legislation, the majority of all incidents can relatively easily be classified in a way that insurance policies would normally cover, if and when a company complies with the IT Security Act. However, it is necessary to prove that you have implemented the Act and that you did things right. If not, not only is it likely that insurance cover will not kick in to pay the damage, but also business owners themselves can end up being held personally liable.
So, if you want to take cyber security risk assessment seriously, it’s high time to act. Here, questions arise like: Have you implemented all aspects of the applicable laws? And if so, how do you document this? The way forward requires active risk management. But to undertake an effective risk assessment, the main questions are really:
- Do you have security by design?
- Do you have a crisis management strategy?
- Do you have an active risk management process?
- Do you have a disaster recovery management strategy?
- How do you ensure quality of service?
- How do you do your sourcing?
- How do you monitor and control networks?
Everything can be a risk, but at the same time, it also can be an opportunity to differentiate yourself from the competition. Business owners should embrace the new head wind and cope with these unavoidable associated challenges; neglecting the risks will prove disastrous.
Gerd Simon is a trusted adviser for digital infrastructure investment, an auditor, a senior analyst, and business leader. For more than 25 years, he has been creating and enabling digital infrastructures, mainly in Europe but also further afield. His focus was and is to create GTM models and also to take care of business strategy implementations, developing business conceptions from scratch through strategic and operational business development. He has been working in TMT markets since the mid-nineties and has a broad network in the Internet, cloud, and data center data area.
Please note: The opinions expressed in Industry Insights published by dotmagazine are the author’s own and do not reflect the view of the publisher, eco – Association of the Internet Industry.