Have we put too much emphasis on protecting the network?
Recently, much of the cybersecurity commentary and blogs have talked about new approaches for protecting the network, especially beyond the perimeter. For the past few years, the industry has focused on conditional access (i.e., identity as the new perimeter) and even zero trust.
We talk about the perimeter becoming porous and traditional “network” defenses — like firewalls — as no longer being effective. The trend is for our discussions to take on a verbal shorthand and presume that everyone understands what we mean when we talk about protecting the network, beyond the perimeter.
Let’s take a step back and look afresh at what we are trying to convey. Our focus is not solely on protecting the network. The “network” is really the plumbing that all of our interconnected devices, applications, data, and resources rely on, and through which we pass instructions and information.
In many ways the network is a utility of pathways, mapped so that we can pass those instructions and information effectively. Like a utility, we expect it to be available as needed, and while it should be maintained and yes, even protected, our shorthand of protecting the network has obfuscated the real targets of what we should be protecting and the controls for providing that protection.
We should throttle back the shorthand phrase of protecting the network and actually talk about protecting the application, data, and resources that we rely on in today’s environment of information technology. This means understanding what those targets really are, the value of those targets, and being able to manage and control access to those targets. This is not novel or brilliant — in fact it is the basis of the Center for Internet Security’s Top 20 Critical Security Controls.
For years, we have focused on the basic concepts — the assets we want to protect should be known, have an identity, be a part of managed inventory, be monitored, and be controlled by strong authentication and authorization rules. Additionally, trust cannot and should not be assumed by any asset of any other asset, person, or resource. This is really the definition of zero trust. We have to focus our controls as close to the asset as possible and enforce access controls at the level of the asset or resource, not at the level of the network.
Critics will take a reductio ad absurdum approach and argue that not protecting the network is ruinous. I agree, we still have to protect the enterprise network starting at the endpoint, mobile device, or IoT sensor. We need to protect our entire IT system, but perhaps we need to change how we describe implementing this protection.
Rather than talk about protecting the network, we should talk about identifying, managing, monitoring, and controlling access to our IT assets and data as the priority, and protecting and managing the network as protecting the infrastructure — critical as it may be. Part of this uniform protection is to understand the inventory of all of the devices, resources, applications, and policy enforcement points along the pathway.
Additionally, the inventory should include hashed values of the software, and a way to validate that the software and firmware components are not changed without authorization, be that by a user, or by another process (a non-person entity NPE). All changes and updates should be logged and audited for the identity of the authenticated user or process, and purpose of those changes, along with the date and time.
Policy controls should be targeted and specific about creating zones of trust as narrowly defined as possible, and only authenticated and authorized activities should be allowed to cross the boundary of those zones of trust. Once we have achieved this basic level of maturity, then we can begin to automate the monitoring, detection, and even remediation of threats targeted at valuable resources across the enterprise network.
Focusing on and describing the components of our IT solutions, with specific priorities on our valuable resources, data, applications, and zones of trust, rather than on protecting the network, is more than simply semantics. When we change the focus of the discussion to the priority and valuable resources of our IT solutions, we realize a more effective return on our cybersecurity investments.