Cybersecurity in 2018: Three Trends to Act On
By Andy Hammond, strategist and evangelist, Vice President Business Development, SSH Communications Security And Red Curry, cybersecurity strategist, Director of Digital Marketing, SSH Communications Security
You know the phrase “Hindsight is 20/20,” but wouldn’t it be handy—particularly in the arena of cybersecurity—to be able to see into the future with greater clarity? Organizations the world over are gearing up for a robust new regulation to take effect, dealing with ineffective authentication methods and revisiting how they manage privileged access in the new year. Let’s take a look at each of these trends in terms of how they will affect your cybersecurity posture in 2018 and beyond.
"GDPR compliance language will begin to appear on business websites as companies seek to assure customers that their data will be safe"
The Impact of the GDPR
A new regulation about to take effect has global implications: the General Data Protection Regulation (GDPR), which will take effect in May 2018. This regulation will have a major impact on the European Union and on international companies with access to European citizens’ sensitive data. The GDPR is considered comparable to the U.S. Security Breach Legislation enacted in 48 states, but on steroids. Organizations must account for all sensitive data and the access granted to it. At the same time, it expands the definition of sensitive data to include online identifiers, such as an IP address or cookies.
What’s unique and difficult about the GDPR is its level of jurisdiction. The regulation applies to any organization with more than 250 employees that has the personal data of EU citizens–whether that organization has a location in the EU or targets EU citizens or not. This mark the first time U.S. companies have had to abide by an EU regulation (as opposed to a Directive), and the fines for non-compliance are steep: up to €20 million or four percent of annual global turnover, whichever is greater.
GDPR compliance language will begin to appear on business websites as companies seek to assure customers that their data will be safe. But the bigger shift for businesses will be the need to dig deep into their processes to comply with this regulation. They will need to have full visibility into who has access to sensitive data–and as we will see below, that is rare.
Moving Away from Static Security
Malicious actors seem to possess limitless innovation and drive, meaning that organizations worldwide will continue to face cyber threats and struggle to maintain a solid and continuous compliance and security posture.
Because the network perimeter is a thing of the past, companies must invest down to the infrastructure core of the business to secure their data. While technology is changing at lightning pace, many processes remain stuck in the past. Static security measures like passwords and vaults don’t move with the speed of today’s business and simply aren’t enough anymore.
Hackers like to focus on attacking static security for a reason: they are highly successful.
Ideally, then, significant investment would be made to secure a company’s technology core as the company is being built. However, it’s not too late for existing companies to go beneath the OS and build security at the foundational level with elements like certificates, SSH keys and PAM.
No matter where a company is located, its cybersecurity executives and staff find maintaining privileged access to protected data a challenge. It’s a board/business topic. SSH user key-based access, referred to as the dark side of compliance, continues to bubble up on the high-risk radar as uncontrolled and unmanaged elevated access into production. Organizations must consider SSH access when assessing security because they provide the highest level of access yet are rarely, if ever, monitored.
This lack of monitoring constitutes a significant cybersecurity failure, and a recent study by the Cyber Security Research Institute provides proof that the failure is widespread. It revealed that 61 percent of respondents do not limit or monitor the number of administrators who manage SSH. Further, 90 percent of respondents do not have a complete, accurate inventory of all SSH keys. This means that there is no way to tell whether keys have been stolen or misused or should be trusted.
With the mass migration to the cloud, organizations need to take special care not to carry this level of insecurity over to the new infrastructure. Cloud applications are elastic, scalable and dynamic. Traditional PAM was designed for static physical servers in much smaller environments. But as with passwords and other static security measures, static PAM can’t get the job done anymore either. Traditional PAM just doesn’t provide the agility one needs in the cloud and doesn’t handle elastic services well at all. In fact, it doesn't handle traditional legacy infrastructure very well. Projects become complex and expensive.
But they don’t have to. Next-generation PAM (NXPAM) provides a solution to these issues. This NXPAM works without any permanent access credentials on servers, using only short-term temporary credentials that are created on demand. There are no passwords to rotate, no vaults needing to store them and no software that needs to be installed and patched on individual servers. This makes for a very fast and straightforward deployment project with unlimited scalability.
What Safety and Compliance Require
As if dealing with the never-ending slew of new cyber threats wasn’t enough, companies must also address the stringent requirements of the GDPR. This requires a hard and close look at what security and compliance measures are in place. Are policies consistently being carried out? Are they effective?
Going into 2018, it is easy to identify a common theme having to do with governance for your trusted access to protected data. It is critical to start addressing these risks early. Organizations must have complete accountability of their protected data: Who has access to my data? Where is my data? What laws and regulations impact my compliance program?
Most organizations are operating on legacy systems, which mean that addressing compliance and security at the core infrastructure level is paramount. If a bad actor gains access to this level, the damage could be irreparable – especially in a world without network perimeters. Keep the above three trends in mind as you consider your security and compliance strategy for the New Year.