How to Combat the No. 1 Cause of Security Breaches: Complexity – DARKReading

Complex systems are hard to secure. As computing environments’ complexity grows, they become less secure and more vulnerable over time. In this article, I will demonstrate how security is tied to complexity, why increasing complexity of cloud computing environments is inevitable, and the pitfalls of common coping strategies.
First, let’s explore why complexity growth is inevitable. Here’s a hint for the impatient: It’s all about scale.
Scaling the World’s Computing
To better understand the challenges of scaling the world’s compute systems, we must remember that computing is a collaboration of machines (hardware), applications (software), and humans (peopleware), all of which increase complexity.
Let’s start with hardware. Modern computing environments are big — and constantly getting bigger. Organizations with even a small number of employees often command thousands-of-server fleets that come in a variety of form factors — the cloud, on-premises data centers, managed hosting, smart devices, self-driving vehicles, and so on. What drives complexity even further is that cloud environments are elastic; as managing hardware becomes more complicated, so does security.
How about scaling software? As the tech stack grows, so does the list of technologies that must be configured in a typical cloud computing environment before a cloud-native application is deployed. And here’s the scary fact: Every software layer comes with its own implementation of encrypted connectivity, client authentication, authorization, and audit, putting pressure on DevOps teams to properly set up these pillars of secure remote access.
And, finally, « peopleware » comes with its own scaling pains. As companies embrace remote work, the idea of controlling employees’ computers or relying on a network perimeter becomes less feasible. Moreover, as the tech talent shortage intensifies, companies are forced to operate without having sufficient security expertise on their teams.
But there’s no turning back. Hardware, software, and peopleware complexity will continue to grow, ultimately making computing environments more vulnerable.
Common Coping Strategies
How do organizations currently address the resulting security challenges? Unfortunately, most are unable to secure every single technology layer. Some of the most common coping strategies include:
None of these strategies provides sufficient levels of detail for audit purposes. For example, it becomes impossible to tell who dropped a SQL table if the access was performed via a VPN by a user named « dba. » Based on the increasing frequency of reported cyber incidents, it’s clear these approaches are struggling to minimize the operational overhead of infrastructure.
Zero Trust
The cybersecurity community is aware of the problem. And the industry prescription for these problems has become zero trust. Zero trust is not a true solution, but an architectural pattern. It postulates that every computing resource must distrust all clients equally, whether on the internal or external network. Essentially, zero trust declares perimeter-based, network-centric approaches to security as obsolete, and requires every server be configured as if exposed to the Internet.
Organizations built on cloud-native environments are moving toward identity-based access. In this setting, every employee must authenticate into a computing resource as themselves. When combined with a zero-trust principle, the « blast radius » of a compromised account is minimized to a single user and resource.
The scaling of hardware, software, and people has created an ever-growing complexity problem, making computing environments less secure. To combat this, the industry must prioritize the consolidation of all remote access protocols under a single-solution umbrella, so that identity-based authentication can negate the need for perimeter-based, network-centric access solutions. If we execute on these initiatives swiftly enough, government involvement may not be necessary.
Copyright © 2022 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.

source