Often in meetings, whenever the
topic of security arises, I’ve frequently encountered clients expressing
confidence with statements like, “We have a firewall, so we’re
covered.” However, it’s essential to recognize that security transcends
the simplistic notion of a protective barrier at the network’s edge. The
landscape of security in technology is dynamic, with threats constantly
evolving. Relying solely on perimeter security is insufficient.
Would a car manufacturer simply
build a factory, leave all the essential hardware tools packed in boxes, hire
staff without providing them with training, and then expect flawless assembly
of their products? Certainly not. The manufacturer not only constructs the
facility but also ensures that employees receive training on operating the
equipment to produce the desired product. Drawing from this analogy, relying
solely on a firewall or edge security device and hoping for the best is akin to
merely building the factory, hiring employees, and expecting optimal results.
“The security of infrastructure and applications should be treated as a comprehensive program.”
This is precisely why the security of infrastructure and applications should be treated as a comprehensive program. Similar to how a manufacturer builds a factory, installs necessary tools, and trains employees, securing an environment requires a systematic approach with a well-defined roadmap and program. Such a program should furnish tools, resources, and training to empower end-users in preventing security incidents within the organization.
To aid in this discussion, Let’s define some of the terms that you may hear as it relates to security:
Perimeter Security: The process of defending an organization’s network boundaries from hackers, intruders, and exploits. To defend perimeter security, it typically involves the following technologies:
- Intrusion Detection System (IDS)
- Intrusion Prevention System (IPS)
- Firewalls
- Border Routers
- Threat Management System
Network Security: How an organization protects the usability and integrity of its network and data. This typically involves hardware, software, and network infrastructure.
Information Security: Protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or distribution in order to provide confidentiality, integrity and availability.
Cyber Security: The process an organization must follow to be aware of the latest and emerging cyber threats and trends to protect an organization from the changing or emerging security threat landscape.
Defense in depth: An approach of protection that involves layering a series of defense mechanisms to protect valuable data and information. This approach typically involves the following:
- Educating end users
- Network Security controls and devices
- Behavioral Analysis
- Analyzing Data Integrity
- Endpoint Security Software
- Honeypots
- IDS/IPS
- Firewalls
Zero Trust: A security framework that requires all users to be authenticated, authorized, and continuously validated for security configuration and posture before being granted access to applications and data. To simplify, it’s a process that ensures that the stance of “never trust” and always verify that the end user has valid access things on any network. For more on zero trust, please refer to my previous LinkedIn post found here: Zero Trust is not a product
Embarking on a security program with an initial focus on Perimeter Security may create a solid foundation for an organization. However, it’s crucial for each organization to redefine what constitutes a perimeter. I propose investing time in pinpointing potential creative entry points. At times, adopting a hacker’s mindset can be beneficial. Consider examining the vulnerabilities within your environment and contemplating how they could be exploited. Here are a few examples to guide you in this process.
- One potential entry point might be a USB drive discovered in your parking lot. Merely inserting the USB drive into a computer could trigger automatic execution, resulting in an unexpected compromise.
- An additional potential entry point could involve a highly convincing social engineering event, such as impersonating a boss or CEO, or through a phishing exercise.
A friend who works in Cybersecurity once shared with me this statement, “You are only as strong as your weakest link.” This underscores the significance of the concept “Defense in depth” in constructing a robust security program that aligns with a security roadmap.
In Part 2, we will talk more about Defense in Depth.
Meet the Author:
Chris Price is an experienced executive deeply committed to nurturing and empowering team members to realize their fullest potential. My passion lies in technology thought leadership, and my career has been dedicated to providing guidance and leadership in aligning technology with business objectives. In recent years, we’ve observed a significant evolution in technology, particularly in digital solutions, which have the potential to differentiate businesses and confer a competitive advantage in their respective industries. In this new era of digital business, organizations must embrace transformation. Within my team, we possess the expertise to guide organizations through the disruptions brought by digital innovations, offering innovative ideas and state-of-the-art technology to navigate these changes effectively.
