The government's information security community is having a midlife crisis. Long-relied upon strategies, skills and tools are no longer effective, as hackers always seem to find a new way to get in and valuable data is leaking out in record-setting breaches. Money is certainly being thrown at the problem, but that in and of itself doesn't automatically solve it.
A Gartner forecast anticipates InfoSec spending to reach $76.9 billion in 2015. Today's "threat surface" has profoundly expanded due to greater data volume, which translates into greater potential access for hackers, worsened by new vulnerabilities presented by mobile and cloud. The security blueprint of just a few years ago – including a firewall, "demilitarized zone" and a handful of tools – is obsolete. There's simply more data for hackers to take and the security capabilities of yesterday's tools have been eclipsed.
It's no longer a matter of if a breach is going to occur but when. Government InfoSec leaders need to adopt a mindset that looks beyond breach prevention. The first step to resolving issues is acceptance and laying the groundwork for a "secure breach" future in which cyber intruders who penetrate a network perimeter won't be able to access or use valuable data. After all, there's no fool-proof way to prevent a breach – you build higher walls, they build taller ladders.
There is, however, a new approach to InfoSec that can enable organizations to effectively prepare for, and avoid falling victim to, a breach. The old blueprint can provide a Plan B, but the following three steps prevent data from being accessible or usable to hackers and should be at the forefront of every InfoSec leader's agenda.
Control User Access: Agencies must protect user identities. Strong authentication will block unauthorized access to sensitive data and hold individuals accountable. Passwords can be easily hacked, stolen, copied or shared, making them the most vulnerable form of authentication. Require users to login with something they know (e.g., a username) along with something they have (e.g., a one-time passcode generated by a physical token). Also, apply different authentication methods for different user groups to prevent misuse by insiders.
Encrypt the Data: Move security controls as close as possible to the data. Use encryption to ensure that even after a perimeter has been breached, stolen information remains secure. Data in physical, virtualized and cloud environments can all be encrypted. Don't overlook network traffic between headquarters and elsewhere; cyber criminals can easily "tap" your fiber optic cables. There are also risks of transmission to wrong locations. These can be eliminated by automatically encrypting data in motion.
Secure the Encryption Keys: Losing cryptographic keys can take down an entire data and security infrastructure. Authenticated users still need quick access to data to do their jobs. Isolated, disconnected key management makes it nearly impossible to manage what could be thousands of keys. Since these are stored in various places, often on systems containing sensitive data, they're vulnerable. Unprotected backup keys in transit create additional exposure. A crypto management platform enables centralized control, as well as the ability to rotate, store, backup, delete and create new keys. Vaulting keys in a physical hardware security module provides added protection.
This is the new InfoSec foundation. That said, there are still areas requiring additional work and new technology.
There needs to be added focus on detection, and hurdles exist. Technology needs to be in place that provides insight into when something is wrong and to accurately assess damage. However, the challenge is organizations rely on "big data tactics," creating a big problem when InfoSec teams receive 500 alerts with nearly as many false-positives. Worse, hackers understand how detection works, they generate random traffic to disguise what they're doing and can create thousands of alerts, with only one of them being real.
There are inadequacies today and next-generation detection solutions are needed. These, I expect, will mature enough in the next year or two. Deterministic technology that can handle big data and generate valuable "small data" in return will be critical for InfoSec leaders – narrowing down alerts to cut the response gap, along with providing capabilities for automatic protection.
There will probably never be perfect detection. However, the approach that can work well today is the immune system strategy – one in which it doesn't matter if a hacker gets in because what they'll find is unusable, one that ensures data in motion is encrypted until it reaches the vault on the server. Accepting that a breach will occur is the first step, and creating the new InfoSec foundation that accomplishes this will bring back control and help avert a costly crisis.
Jason Hart is Gemalto's VP and CTO for data protection.