Beyond the Perimeter: How to Address Layered Security
I was eating dinner in Washington, D.C. with onetime national cybersecurity czar Richard Clarke, now chairman and CEO of Good Harbor Security Risk Direction, when he explained that expert perimeter security isn't enough to protect your network. "The bad guys," Clarke explained, "are already inside your network."
Clarke's point was that cyberattackers, especially state-sponsored actors, have the ability to penetrate most perimeter security protection, at least to some degree. This is non to suggest that perimeter security is unnecessary. That'southward an of import aspect to shore upward, every bit I pointed out in last calendar week's column. Although it'south critical, it'due south not sufficient. You demand layers of security so that, when the bad guys break through the perimeter, they even so can't do anything to hurt you.
Layered security is something that you lot've probably heard nigh before, but for many in IT, it's still a mystery. How do you create layers of security? How do you decide how many layers you need? What should the layers protect? Can there be too many layers?
The answer will depend on your network, the nature of your concern, and your level of risk. But it'southward of import to recollect that your level of risk may be affected by your business partners. So, if you're a supplier or contractor, for example, and then your level of risk volition exist the same as theirs because those bad guys will try to use you lot equally a pathway to your business partners.
Layers are based on the data yous need to protect. This means that yous need to make sure your data is preserved, and you as well need to make sure it can't be taken from you. And, of grade, y'all demand to brand sure your network is protected from damage so that your business isn't affected.
Preserving Your Information
Data preservation is the first critical layer. This requires you make sure that a re-create of your important data is in secure storage where information technology's inaccessible to hackers or others, including disgruntled employees. For almost companies, such backups should exist in the information center where you can get to them easily when needed, and also in the cloud where tampering is much more than difficult. There are a number of public deject services that will handle backups, including Amazon Web Services (AWS), Google Cloud, and IBM Cloud, also as dedicated backup services such equally Carbonite, which recently acquired its competitor Mozy.
Those backups can and so exist backed upward to geographically various locations, which helps ensure they won't be compromised in a single disaster. Usually the unabridged backup procedure can be automated so, one time information technology'southward all set up, the only affair y'all demand to do is confirm the integrity of your backups equally needed.
So there'southward data protection, which means information technology has to be inaccessible and unusable if someone finds it. To make your information inaccessible, you need to segment your network and then that gaining access to ane part of the network doesn't hateful you lot tin can attain everything. For example, had Target segmented its network when it was breached through its HVAC system in 2022, then the hackers couldn't have accessed other data.
Network segmentation requires routers that deny access by default and simply let network connections from specific network nodes, which the routers filter by using their Media Access Control (MAC) or IP addresses. Internal firewalls can also perform this function and may be more flexible in complex applications.
Overlooking Encryption Is a Large Fault
In addition to division, your data must likewise be encrypted, both while it'south being transferred across the network and while it's being stored. Encryption is easy to reach because it'due south performed past default in wireless and cloud access software, and all modern operating systems (OSes) provide encryption as a standard service. Yet, failure to encrypt critical data is perchance the single greatest crusade of data loss in contempo breaches.
The reasons such information is non encrypted, despite legal requirements in many cases to practice and so, can be summarized in four words: laziness, incompetence, ignorance, and stupidity. There simply is no excuse for declining to encrypt your information.
Finally, there'south network protection. Along with protecting your information, you lot also need to ensure your network isn't used as a platform to launch attacks, and y'all demand to ensure your network devices aren't used confronting you. This is especially an result with networks that include auto controllers in your warehouse or factory, and information technology's an issue with your Cyberspace of Things (IoT) devices.
This is a major event because so many network devices have little or no security of their own. Therefore, information technology'southward fairly easy to use them as a platform to launch a denial-of-service attack (DoS set on) or to siphon off their information as a way to perform surveillance on your company's operations. They can besides be used as a base of operations against your network. Since you can't eliminate these devices, the best you can do is put them on their ain network, protect them as much as possible, and so don't let them connect directly to your internal network.
Here we've discussed several layers and, in some cases, your network may require more. Merely it'due south important to remember that each layer requires management, and that the protection needed for each layer has to exist on a network with other security layers. This means information technology's critical that you have the staff to manage each layer, and that the security in each layer doesn't adversely affect the security in another.
Information technology'south likewise important to avoid the solution of the twenty-four hours, meaning one-off security to fight a specific threat. Information technology's piece of cake to get sucked into a sort of security whack-a-mole and end up with an unmanageable mess. Instead, pick a broad-based approach in which the threat of the day won't require yet another layer.
Source: https://sea.pcmag.com/ping-identity-pingone/29241/beyond-the-perimeter-how-to-address-layered-security
Posted by: harperprient.blogspot.com
0 Response to "Beyond the Perimeter: How to Address Layered Security"
Post a Comment