The volume, velocity and aggressiveness of cyber attackers continue to increase. As a result, it's not a matter of 'if' an organisation will be attacked; rather, it's a matter of 'when'. In the new 'digital normal', traditional perimetre defence is no match against the influx of cyber threats coming from all directions. And because of this reality, organisations must become more active in defending against attackers.
Cybersecurity needs to be viewed holistically by organisations. Organisations must develop their cybersecurity strategy comprising three significant pillars: security by design, defence in depth, and zero-trust.
Security by design (SbD)
Security by design is the origination point of a cyber-risk management process. A complete lifecycle consideration is a must in practical cybersecurity risk management. It is similar to the product development lifecycle, as it starts with an idea and ends with delivery and support. Security by design ensures that an organisation continually manages, monitors and maintains cybersecurity risk governance and management.
While any software/hardware/project is developed, the design considers cybersecurity. Security by design ensures that organisations consider cybersecurity at the beginning of a project. It means that developers design the software to be secure from the outset to reduce the likelihood of flaws that might compromise information security.
Security by design enables an organisation to build security into its IT management processes. It focuses on preventing a cybersecurity breach rather than repairing and restoring a system after an organisation has been hit by a cybersecurity breach.
Defence in depth (DiD)
Defence in depth cyber security strategy follows multi-layered defensive mechanisms/barriers of protection across the organisation to integrate people, technology and operational capabilities. By layering heterogeneous security technologies along common attack vectors, a defence in depth strategy helps ensure that attacks get missed or bypassed. This redundancy completes greater security and can protect against a wider variety of attacks. DiD is also called the castle approach because it resembles the walls of a castle.
The strategy assumes that attackers will, or already have, penetrated different layers (compromised various tools/solutions) of the organisation's defences. Therefore, multiple layers of security are needed to detect attackers at every stage of their attack cycle. In addition, no security tool or measure is perfect, so organisations need to account for potential failures. By building multiple layers of security, organisations can reduce the chance of a single point of failure occurring in their systems.
The defence in depth strategy combines administrative, technical and physical controls. It can also include additional security layers, like other access controls, endpoints defence, data protection, perimetre defences, monitoring and prevention, threat intelligence, etc.
Zero-trust (ZT) is an evolving set of cybersecurity paradigms. It has shifted security from static, network-based perimetres to a more specific focus on users, assets and resources. A zero-trust architecture (ZTA) follows zero-trust principles to plan industrial and enterprise infrastructure and workflows. The zero-trust concept centred on the belief that organisations should not automatically trust anything inside or outside their perimetres. Verifying anything and everything trying to connect to any systems is a must before granting access.
Zero-trust assumes no implicit trust is granted to any system or user solely based on locations (i.e., local area networks versus the internet) or asset ownership (enterprise or personally owned). Authentication and authorisation (subject and device) are discrete functions performed before a session to an enterprise resource is established. Zero-trust focuses on protecting resources (accounts, assets, network, services, workflows, etc.), not solely the network zone.
The zero-trust approach relies on various technologies and governance processes to secure the enterprise IT environment. As a result, zero-trust requires ongoing effort. Yet developing a zero-trust environment isn't just about implementing any individual technologies. It's about using existing and/or other technologies to enforce the idea that no one and nothing has access until they are proven to be trusted. While designing zero-trust, it is crucial to consider continuous monitoring and validation, least privilege, device access control, micro-segmentation, preventing lateral movement, multi-factor authentication (MFA), etc.
Combining the pillars
Cybersecurity becomes stronger when Security by Design, Defence in Depth, and Zero-trust are combined. These three pillars of cybersecurity risk management must be incorporated into the organisations' cybersecurity development framework to identify the gaps, mitigate threats and build business resilience. With the growing sophistication of global cyber threats and the expanding digital attack surface, a vigilant three-pillar strategy is a must for a robust cyber defence.
The author is an Information Security and Cyber Digital Transformation practitioner & technology expert. The author can be reached at firstname.lastname@example.org.