As the clock strikes midnight on the eve of December 31st,2020 and the new year wishes start pouring in from family and friends, we bring to close what can easily be called the most unprecedented year for mankind at least over the last few decades. The pandemic has had a transformative impact on the way we work, communicate and ultimately, lead our lives. On the work front, it has been a year that has seen a manifold increase in the number of employees working from home and unprecedent shift to cloud computing and storage. Pre-COVID times, there were 7 million people working from home in the United States (U.S.). As per SHRM’s COVID-19 Business Index , 64% of US employees are working from home now. IDC research (Global IT Outlook 2021 and beyond) also points out a continued acceleration to cloud. By the end of 2021, enterprises will put a mechanism in place to shift to cloud-centric infrastructure and applications twice faster than before the pandemic.
Not just with our day to day lives. The year has also warranted a sea change in the way we approach cybersecurity within an enterprise environment. With changing work styles, the security postures and preparedness of companies also needed change. Most security teams already had some controls and tools to manage remote workers. But the sheer magnitude of users means that many of these controls had to be revisited.
It was also a year of BIG data breaches. And the most high profile one was the recent ‘SolarWinds Orion’ hack that has impacted government organizations and close to 18,000 SolarWinds customers. Publicly released statement from SolarWinds points out that hackers forged SAML authentication tokens to gain access to the Orion software build system — or CI/CD development environment. In the end, what this points out is that despite all the investments into securing IT systems, cyberthreats are increasing and it is time to look at cybersecurity beyond just perimeter and infrastructure security.
And as we take a plunge into 2021 with a renewed sense of positivity and hope, here are two key cybersecurity lessons that I would like to highlight here to create a ‘Data Secure 2021’.
Lesson 1: Prioritize Data Security over Perimeter Security
An important lesson from events of last year is the fact that security needs to move away from the old school perimeter security approach to a data security centric approach. In addition to tools like network monitoring, firewall etc. it time to focus on protect data itself by using encryption and strong access controls to prevent unauthorized access. At the end of the day, data security is all about controlling who (person) or what (app) should access the data and about how to make sure those who attempt access are authorized. We should assume that all networks are compromised at this point. Most organizations already have identity (IAM/SSO), and the access control rules in place but don’t encrypt all their sensitive data. Most of the security breaches arises because there are too many ways around perimeter tools and into networks. The software system is complex, one vulnerability in one software, one misconfiguration, and the entire perimeter defense falls apart.
Fortanix, at its core, is the world’s simplest security idea. We take your access controls and ensure no one can violate them by encrypting data across the entire lifecycle until an authorized person proves that they should be able to access it. This holds true even when they have physical control and they can put any malware on the system, even when the OS is compromised.
Lesson 2: Secure your software development life cycle
As per a recent article in Money Control, one of the SolarWinds employees had mistakenly uploaded his credentials in GitHub, including username and password, which was as simple as “Solar123”. This is not a one-off instance. Infact, its widely observed that developers often inadvertently leave behind sensitive pieces of code embedded in applications, files, and code repositories. One real-world example is the way in which some developers use GitHub. Most developers seem to use GitHub casually, leading to increased risk of insider threats and hacking incidents. In one another incident in 2016, hackers penetrated Uber’s source code repository via GitHub, accessing intellectual property, AWS credentials and the personal data of more than 7 million Uber drivers and 50 million customers. That takes us to the next important lesson. It is critical for enterprises to secure their software build process.
Fortanix provides great set of tools to protect software build process:
A secure secrets management solution that can manage secrets natively in the cloud and on-premises that integrates with any DevOps environment with Rest APIs and upcoming technologies like Kubernetes etc.
A quorum approval policy which mandates that all security sensitive operations and software build processes need a quorum approval.
Hardware enclaves powered by Intel SGX that enables development teams to run the build process inside organizations trust boundaries.
Auditing integration with SIEM tools (Syslog, Splunk, and CSP logging) for enhanced protection and deep visibility through the audit logs.
In short, an unprecedented year has set a new precedent. Security teams are being forced to adapt to the changing dynamics of work from home and cloud-first, which requires deviating from the traditional brick and mortar infrastructure-oriented security to a data centric approach. We at Fortanix believe that businesses and individuals should be able to secure data without relying on the security of the underlying infrastructure. Fortanix makes it possible to decouple security from the infrastructure. Let us work together in 2021 to turn the challenges of 2020 into an opportunity to strengthen our security in 2021 and take advantage of our new found flexibility to work from home and move all of our workloads to the cloud.