Vigilance and foresight are two key qualities in the cybersecurity field. 2017 brought many serious challenges, but what lies ahead in 2018 that needs our intention and strategic thinking? Let’s look ahead at three factors on the horizon that will impact the network, possibly for years to come.
Ready or Not, Here Comes GDPR
First and foremost is a known quantity, the General Data Protection Regulation (GDPR), which will take effect in May 2018. This regulation will have a major impact on the European Union and on international companies with access to European citizens’ sensitive data. The GDPR is considered comparable to the U.S. Security Breach Legislation enacted in 48 states, but on steroids. Organizations must account for all sensitive data and the access granted to it. At the same time, it expands the definition of sensitive data to include online identifiers, such as an IP address or cookies.
This regulation isn’t just for huge, multinational enterprises. The GDPR applies to any organization with more than 250 employees that has the personal data of EU citizens – whether that organization has a location in the EU or targets EU citizens or not. This marks the first time U.S. companies have had to abide by an EU regulation (as opposed to a Directive), and the fines for non-compliance are steep: up to €20 million or four percent of annual global turnover, whichever is greater.
These fines are intentionally severe because maintaining data privacy is so important to the EU, and this gives them the teeth to police compliance. GDPR compliance language will begin to appear on business websites as companies seek to assure customers that their data will be safe. But the bigger shift for businesses will be the need to dig deep into their processes to comply with this regulation. They will need to have full visibility into who has access to sensitive data – and as we will see below, that is rare.
The Need to Secure the Core
Organizations worldwide will continue to face cyber threats and struggle to maintain a solid and continuous compliance and security posture as nation-state-sponsored cyber-attacks, cybercriminals and hacktivists proliferate and innovate.
That may seem obvious, but what is less obvious is that in a world without network
perimeters, companies must spend money down to the infrastructure core of the business to secure their data. While technology is changing at rapid speeds, many processes remain stuck in the past. Static security measures like passwords and vaults don’t move with the speed of today’s business and simply aren’t enough anymore.
Malicious actors love to target static security because they are so vulnerable. Ideally, significant investment would be made to secure a company’s technology core as the company is being built. However, it’s not too late for existing companies to go beneath the OS and build security at the foundational level with elements like certificates, SSH keys and PAM.
A New Way to Manage Access
CIOs, CISOs, IT security and IT architects across the globe struggle to maintain privileged access to protected data. It’s a board/business topic. SSH user key-based access, referred to as the dark side of compliance, continues to bubble up on the high-risk radar as uncontrolled and unmanaged elevated access into production. Organizations must consider SSH access when assessing security because they provide the highest level of access yet are rarely, if ever, monitored.
Proof of this shortcoming can be found in a recent report from the Cyber Security Research Institute, which revealed that 61 percent of respondents do not limit or monitor the number of administrators who manage SSH. Further, 90 percent of respondents do not have a complete, accurate inventory of all SSH keys. This means that there is no way to tell whether keys have been stolen or misused or should be trusted.
With the migration to the cloud, poor key management is simply untenable. Cloud applications are elastic, scalable and dynamic. Traditional PAM was designed for static physical servers in much smaller environments. But, as with passwords and other static security measures, static PAM can’t get the job done anymore either. Traditional PAM just doesn’t provide the agility one needs in the cloud and doesn’t handle elastic services well at all. In fact, it doesn't handle traditional legacy infrastructure very well. Projects become complex and expensive.
All is not lost, though, as a new kid on the block offers a just-in-time solution to these issues: next-generation PAM (NXPAM). This NXPAM works without any permanent access credentials on servers, using only short-term temporary credentials that are created on demand. There are no passwords to rotate, no vaults needing to store them and no software that needs to be installed and patched on individual servers. This makes for a very fast and straightforward deployment project with unlimited scalability.
Address Risks Now
With the impending implementation of the GDPR and cyber threats that can gain access to core network areas, organizations need to take a hard and close look at what security and compliance measures are in place. Are policies consistently being carried out? Are they effective?
The need to protect the network and all it contains has never been under greater threat.
However, it is easy to identify a common theme having to do with governance for your trusted access to protected data. Going into 2018, it is crucial to start addressing these risks early. Organizations must have complete accountability of their protected data: who has access to my data? Where is my data? What laws and regulations impact my compliance program?
Particularly if you are operating on legacy systems, an effective defense strategy requires embedding security at the infrastructure level. It’s here that the greatest amount of harm can be done if breached, so controlling access is essential. Keep the above three factors in mind as you move into the new year and put security measures in place to create a firm foundation for your organization and its customers.