Last Updated on July 27, 2020
If you don’t get the title reference I would encourage you to got to HBO Max and watch the complete back catalog of “Game of Thrones” (except perhaps Season 8). I would refer you to George R. Martin’s even better books, except that we are still awaiting books 6 and 7, and don’t yet know whether Drogon will raze Kings Landing in the print version.
As the CISO of Pivot Point Security and a number of other companies, and as someone who chats strategically with 10+ different companies each week, a too-frequent conversation I am having right now is on how CV-19 is changing the practice of information security and associated controls.
I think the change can be (perhaps over-) simplified as follows:
- As clients are increasingly moving to cloud services (whether it’s app servers at AWS, email/collaboration at Microsoft, file sharing at Box, or finance systems at Sage), more of our important data is being stored/processed/transmitted by third parties.
- We have moved from a mobile to a hypermobile and/or perpetually mobile workforce. The term “network security” feels increasingly like an anachronism. Consistent security enforcement across all computing devices and security treatment of access/transit to/of sensitive information is a major challenge.
It is important to note that even when you have a perfectly constructed Information Security Management System (and you do, right?!?), change equals risk. And while simplifying the change like I just did is easy, summarizing the impact of the change—the associated risks, and the right changes in information security controls to manage those risks effectively—is not easy. But I’ll take a cursory stab at it anyway:
- Your Third Party Risk Management/Vendor Risk Management practices need to be revisited/enhanced. Understanding the risks associated with large caches of data and/or key services being unavailable (and outside of your control to recover) is critical. Adjusting your due diligence questionnaires/audits/processes to gain the assurance you need is even more critical. Also:
- Think about having a mechanism to retain your own copy of critical data so that if a service provider were hit by ransomware or another incident you have some ability to control your own destiny.
- Your Incident Response practices need to be updated to ensure that you are able to respond to a breach at a third party.
- Your contracts need to be updated to reflect your new security/privacy expectations/requirements.
- Your IT & IS personnel need to be trained on secure deployment of cloud services. Remember, information security is a shared responsibility in cloud—not the cloud vendor’s responsibility alone. Every day some company’s data is compromised at Microsoft, Google, Salesforce, etc. because of mistakes made by the client, not the Cloud Service Provider.
- Your Logging/Monitoring practices need to be updated to ensure that you have the visibility you need.
- Your Identity & Access management processes need to be updated to reflect hyper mobility. Zero Trust, context sensitive authentication, and MFA move from “nice to have” to “need to have.”
- Your cryptography practices need to be updated to ensure the risk to critical data disclosure is minimized (think key location/strength/recovery/rotation and/or certificate based authentication).
- Your Security Awareness Education needs to be updated to reflect work from home and a cloud-centric or a cloud-first business model.
- Your “network security” practices/concepts need to be completely reconsidered. Traditional network security concepts worked like King’s Landing—build strong walls to keep the bad guys out and trust everyone inside the perimeter. Mobility puts doors (holes) in the walls. Hyper mobility tore down the walls. Perpetual mobility razed King’s Landing (like Drogon did). Key issues include:
- How do you now limit user access to dangerous web sites, minimize unwanted attacks reaching their laptops, ensure that business critical data is not being ex-filtrated/shared, ensure that only employees can access critical cloud resources, ensure that only corporate assets can access critical information, ensure that assets are properly configured/patched, etc. The “choke point” (main gate to Kings Landing) where all ingress/egress occurred and policies/security were enforced is no longer there.
- Analogous models require a new lexicon. Cloud Firewalls, Cloud Access Security Brokers, Mobile Device Patch Management, Secure Access Service Edge (SASE) and Zero Trust principles replace previous mechanisms.
Because the solution architecture must change so significantly, a high percentage of your information security controls need to change as well (e.g., Asset Management, HR Security, Access Control, Cryptography, Physical Security, Operations Security, Communication Security, Incident Management and Business Continuity). It’s easy to miss a key risk; for example, how are you going to conduct system level forensics on a computer (corporate or BYOD) that is permanently mobile? How can you ensure sensitive information in Office 365 is only accessed on corporate devices?
The above litany of changes represents a pretty significant lift. For example, using ISO 27001 Annex A controls to illustrate the magnitude, you should likely revisit approximately 65% of the 114 controls. A majority of those will need at least some minor tuning, and a third will likely need significant updates.
Time for find a “Bran the Builder” to get your security kingdom back in order.