Surveillance based security takes many forms – seemingly more every day, yet the fraudsters are undaunted.
According to Dark Reading (January 15, 2008) “Most security experts trace the firewall’s roots, back to work done at Digital Equipment Corp. in the late 1980s by Jeff Mogul, Brian Reid, and Paul Vixie, starting with the gatekeeper.dec.com gateway, as well as to Mogul’s “screend” technology.”
Securing the enterprise network and as importantly the enterprise data has been front of mind for half a century. In fact, “The imperative to protect increasingly digitized businesses, Internet of Things (IoT) devices, and consumers from cybercrime will propel global spending on cybersecurity products and services to $1.75 trillion cumulatively for the five-year period from 2021 to 2025, according to Cybersecurity Ventures.”(Cybercrime Magazine, September 10, 2021)
Despite the visibility and the billions of dollars spent every year building new products and new approaches to security, it is expected that cybercrime will continue to prosper and new forms of data protection will be closely followed by new approaches to defeat them.
Much of this phenomenon can be traced to the fundamental conflict between providing access to data and network services to authorized users and systems while locking out unauthorized users and systems. It could also be argued that a plethora of the security capabilities have been built as an afterthought and not the first requirement when delivering new services or capabilities. It is also true that many of our most vulnerable systems (infrastructure for example) were never envisioned to be connected to a single network (the Internet). They were designed as closed systems. Even communications systems like text messaging were not designed with wide open network accessibility in mind; in fact SMS is not even encrypted!
In broad strokes (very broad strokes) the approach to security has followed a reactionary path that has been cyclical in nature:
- A vulnerability is detected
- A security product is created (or an existing security product is extended)
- Cybercriminals, hackers, white hats, extortionists, thrill seekers find a way to break it
- The vulnerability is detected (or possibly reported by white hats)
- The cycle repeats
This has led us from the initial idea of a perimeter security (a firewall) to a broader set of products including but not limited to:
- Virus detection (in flight or at endpoints)
- Intrusion detection
- Intrusion protection
- Data Leakage Protection
- Application Level Gateways
- Back to back user agents
- Phishing detection
- Spam detection
- Social media monitoring and control
- And more…..
It has also led to physical controls (mostly on humans) to limit electronic devices in sensitive places, more thorough background checks, machine level surveillance and tighter control on devices.
It is September of the year 2022 and we still struggle between providing access to data and network services to authorized users and systems while locking out unauthorized users and systems. Ransomware finds its way into sensitive systems daily. Denial of service attacks continue to occur, cyberwar continues to grow in breadth and sophistication.
It seems unlikely that the battle will ever actually end, but it is also true that there is still much we can do to reduce the threat surface and progress toward better solutions to the fundamental problem.
- Reduce the duplication of sensitive data through a zero knowledge framework that can provide validation and verification without unnecessary data sharing
- Eliminate passwords or any other form of authentication that can be stolen or duplicated
- Reduce human access to sensitive data where it can be avoided
- Provide real time identity verification
- Eliminate non-secure messaging systems (at least from sensitive use) like SMS
All of this implies a more secure communications network for sensitive data that starts with a Zero Trust network where all endpoints are authenticated and is augmented with a Zero Knowledge network to ensure sensitive data is only seen by those systems that need to see it. It implies authentication not based on something you know or something you have (both can be stolen and duplicated) but based on something you are (biometrics, behavior etc). It also implies traceability to the bad actors which may not always be external to the enterprise.
There is a great deal of fundamental and valuable work going on in security. That cycle will continue. We need those security blankets. We also need to add to that a better fundamental way of dealing with the data and identities in the first place.