Whether organizations truly need a cybersecurity framework is one of the biggest questions that’s never really asked in information security. This is because some vendors focus on selling spot security products, an approach that doesn’t lend itself to encouraging enterprises to step back and look at security in the overall context of what they are trying to achieve.
Taking a holistic approach to security frameworks can lengthen the sales cycle for vendors and can require a lot of customer education. It also raises the risk that buyers will want a suite with broader capabilities than they can offer. As a result, some vendors push products for perimeterless security approaches that protect data when there is no traditional corporate network.
A borderless security approach raises questions about whether organizations need a new security framework based not on the older demilitarized zone (DMZ) or newer security-zone concepts, but on a biocontainment concept where the goal is to secure information inside, not just to keep people out.
Cybersecurity zone framework structures
Any approach to security is about keeping people or things out of areas where they don’t belong. To begin with security principles, physical security at a plant or a facility is usually based on security zones that represent resources or areas with specific security requirements. Think of this as a series of fences and gates arranged so the further you go, the more secure you must be. Outside the outermost zone is the world of users, from which your IT resources have to be protected.
The security zone cybersecurity framework is the modern version of the older and simpler DMZ “surrounding the perimeter” model of security zones. Most companies have the four following basic security zones:
- an outermost public zone where nontrusted web access is allowed and autonomous devices must reside;
- an access zone where users, partners and employees can access information according to their role privileges;
- an application zone where applications exchange information with other applications; and
- a restricted zone where critical resources are stored.
Security principles should be based on these zones, and practices (addressed below) are applied within them in a security zone model. Security practices can also be applied in a borderless model.
The first and perhaps most important security framework principle is that every zone exposes (or publishes) only the information it is allowed to via an interface or API. But security doesn’t stop with access control. It is also critical to look first at how information is exposed, then at who’s entitled to see the results.
No specific tool controls what information should be exposed. Enforcing this principle means deciding what information must be available within a zone. API management principles and tools can then be used to define and expose that information. Remember that less-secure outer zones should be information clients of more secure zones, so when a zone exposes information, it’s not only supporting its own users, it’s also feeding less-secure zones with the limited information they are entitled to have. The key principle is to expose only what’s actually needed. Most organizations expose too much information, which increases their risks.
In the second zone-based cybersecurity framework principle, each zone must protect who gets access and manage its members’ behavior. Many of the largest security breaches have happened because someone had access to a low-security zone and, from there, was able to hack deeper into secure layers because no protections were in place against user behavior once they gained admission.
Part of adhering to this principle means keeping track of secure access and access attempts so bad behavior can be linked back to specific people or applications. It’s also good to have a statistical report on the number of times each secured API is accessed or each time an access attempt fails. This helps spot usage patterns, and when patterns change, it indicates deeper exploration of those access logs is warranted.
Implementing cybersecurity framework practices
Effective security is the application of practices and tools within the security principles that define a cybersecurity framework. Like security principles, practices are divided into multiple areas.
Access control provides rules that control the penetration of each security zone. This means access controls exist at each zone boundary. Organizations can implement access control with sign-on controls, firewalls and network connectivity control, or even by multiple means.
Resource control addresses how information resources should be deployed in a consistent and secure framework, which means applying infrastructure automation and application orchestration to build a hosting environment that can be controlled.
Interception control is the final cybersecurity practice area. Information sent on a network, if read by an unauthorized party, could be used to steal data or credentials that might then permit access. Encryption technology is the foundation of network security that can also be used to enhance access control by requiring encrypted API access and controlling key distribution.
In a zone-based cybersecurity framework, these principles and practices apply per zone, and since the zones build on each other from the inside out — or from the most secure to the least secure — the measures also build on each other. Layers of information — each layer customized to contain only what is needed — isolate critical data and applications from users not entitled to have it. The right to access information should be based on a business need and framed within a zone where similar security requirements prevail. This organization takes time to develop, but it pays off by creating a system for the whole information access and storage process.
Perimeterless security practices
The practices without a framework method touted by some security vendors applies the same practices and tools, but rather than using them to set security zones, it uses them to attack threats directly. The problem is that threats are difficult to identify in this approach if it doesn’t incorporate the concept of entitled access and zones of comparable security policies. What some users need, others aren’t allowed to have. Threats have no easily established context, no measure of risk, and, without successive security layers, someone who is entitled to some access can end up all the way in.
Perimeterless security may seem easy because it doesn’t require much planning since the concept is to see a problem and fix it. The difficulty is that the first exposure to the problem can be costly. It’s better to plan and set a cybersecurity framework. In the long run, that will create better IT security at a lower cost.