With constantly changing technologies and threats, every day as an IT security professional offers a new challenge and an opportunity to solve big, intractable problems. After 26 years in the security industry, I am excited to go to work each morning.
SAP has launched its new thought leadership journal Horizons by SAP, which brings together global tech leaders from various companies to share their perspective on the future of IT. In the coming weeks, one article from the journal will appear on the SAP News Center per week. Here, Tim McKnight, chief security officer at SAP SE, discusses the question how businesses can benefit from modular IT without compromising data security or losing control over costs.
A quarter-century in the industry also lends me a broader view of trends, threats, and security approaches. One issue that keeps my team busy is that IT infrastructures are becoming increasingly componentized, with a growing collection of small hardware and software components that must be managed and secured. The effort required to provide a secure environment continues to grow, with the enemy becoming more sophisticated every year.
How can businesses benefit from modular IT without compromising data security or losing control over costs?
Two Steps to Stronger Security
Most companies began with monolithic mainframe systems with centralized processes and data. Over time, they moved to client and server systems with centralized processes and distributed data. Now, the majority of enterprises have distributed processes and data. As we’ve embraced the cloud, microservices, and a variety of applications, IT complexity has skyrocketed.
Surprisingly, the changes needed to secure modular IT systems are not radical. Companies should begin by putting their own security house in order. They must consistently employ zero-trust security models that maintain strict access controls for all users. It’s also important to get back to basics by deploying sophisticated authentication techniques, classic firewall and antivirus technology, and compliance solutions. In too many cases, enterprises have not yet fully executed on these foundational security components.
With these pieces in place, firms can enhance security to meet the unique requirements of modularization. By deploying intelligent technologies that help decision-makers learn from experience – such as artificial intelligence, machine learning, and advanced analytics – enterprises can track patterns and identify threats. These technologies can be especially helpful for intrusion and anomaly detection.
Security Orchestration Across IT Landscapes
One way to improve security in a fragmented infrastructure is to ensure it is applied on a platform basis.
Think of the average IT environment and the large number of applications that are deployed. Loosely coupled applications and microservices are integrated throughout the infrastructure. However, there is no common authentication or verification that helps these programs or their users comply with an organization’s security requirements.
The platform must have protections in place to secure these components in a controlled manner. Companies need to ensure software fits in with the larger security framework, enabling teams to optimize data flows, authorization, authentication, and verification.
New controls that detect behavioral anomalies are essential in more-complex environments. By deploying features that identify when a user or intruder modifies data, changes code, or otherwise abuses the system, companies can pin-point unapproved behaviors before they harm the business.
These controls can be extended beyond the four walls of the enterprise to protect the data of customers and partners. For example, we have engineered our products to detect data access by anyone. This feature protects customers using distributed computing environments.
Emerging Technologies for New Threats
Intelligent technologies can add even more speed and precision to enterprise security in a complex modular infrastructure. Many companies are interested in using system-log files to identify unusual user or program behavior. But parsing these files is incredibly difficult, time-consuming, manual work. Using intelligent technologies, such as machine learning, can auto-mate security assessments and help administrators quickly identify anomalies or disruptive behavior.
Intelligent technologies can also support “taint analysis,” a technique that checks to see that no malicious data input harms http requests, database requests, or command executions. By building taint-detection features into the security platform, we can help companies – and often their partners who use the system – prevent runtime attacks.
Other advanced features are deceptive applications, where a programmer adds a decoy to the system that identifies an attacker who tries to access it. The decoy is a software artifact, such as a database table, which is a valuable asset for an attacker but is not accessible by standard applications. Intelligent technologies are also a good match for honey patches, where past vulnerabilities are simulated to trap attackers. Each of these features becomes increasingly important to protect corporate systems as they become more complex, heterogeneous, and modularized.
In a modular IT environment, security must become the responsibility of the entire organization, not just the security team.
Shared Responsibility for Security
It’s essential to have a dedicated security organization. But in a modular IT environment, security must become the responsibility of the entire organization, not just the security team. The chief security officer must work with the chief financial officer and line-of-business (LoB) executives, ensuring all groups align to secure the company’s processes and information chain.
Even LoB leaders need to become security experts. Because attacks are becoming more sophisticated and targeted, security awareness must become the responsibility of everyone in the organization. Companies should ensure that employees are security aware. Using traditional courses or gamification, employees can be trained to make good choices, such as not opening a macro or clicking on potentially dangerous links.
In a recent ransomware attack, one of the world’s largest shipping companies lost US$350 million. As a result of this high-profile incident, many companies that recently thought security was not a top priority are stepping up their efforts to protect their IT infrastructure. Now, they realize this new generation of threats against a system with subpar protection could put them out of business.
The appetite for and acceptance of breaches is falling rapidly, as attacks become more costly and dangerous. In many cases, these security risks are becoming increasingly physical. For example, breaches of autonomous vehicle applications or healthcare data can threaten human life.
As attacks become more disruptive and sophisticated, security-minded companies expect more from their vendors. In simpler times, customers would ask us whether our security was up to date. Now, they ask us which features are available to respond to more complex breaches. Business leaders know that one security method alone is insufficient, and they want more-innovative and -competitive security strategies.
For many years, the standard for IT security has been “zero trust, validate all.” Yet, companies can only achieve that if they have appropriate measurements in place that identify and validate the traffic, the originator, and the impact on data, processes, and people. The only viable option is to apply controls and testing validation consistently and continuously.
Now Available: Horizons by SAP
Horizons by SAP is a future-focused IT journal. Thought leaders from the global tech ecosystem share their thinking about how new technologies and major business trends will impact our customers’ landscapes in the fast-arriving future. The first issue, available at www.sap.com/horizons, revolves around the implications and opportunities of modular IT.
Security must be built in to the organization. The best way to accomplish this is by forming security policies, developing awareness throughout the network, and putting appropriate technologies in place to handle attacks of any quality and number. And quite simply, every application needs to have security embedded in it.
Companies also need to employ security experts who are familiar with security by design. By employing top-notch security professionals who are knowledgeable about the threat landscape and armed with the latest tools, business leaders can meet today’s growing threats head-on.
Achieving Trusted Security in a Modular World
Sometimes organizations expect their security experts to wave a magic wand that protects everything in a single stroke. In a modular world, this is unrealistic. There are too many components, microservices, and applications to seal off from the world. Protecting every asset is not only costly, but it would also break the system.
As IT infrastructures grow more complex, business leaders will need to classify the assets worth protecting. In most companies, 80% of the data is common knowledge and only 20% is crucial to the business. By taking the time to define this critical data, companies can reduce the cost and effort of securing unessential assets. They can also use risk assessment and threat modeling exercises to understand which parts of the IT infrastructure require protection.
In the world of modular IT, we cannot put a fence around the entire IT infrastructure, but we can protect critical information components. We can also create processes that determine the extent to which users can access information. In this way, distributed data and distributed processes can help protect vital digital assets.
A healthy, secure business requires trusted security. In an increasingly modular world, simplification is key. By focusing on the basics, developing a strong security culture, and embedding intelligent technology such as AI or machine learning into security processes, we can create secure infrastructures that are ready to support business growth.
Tim McKnight is chief security officer at SAP SE.