While Halloween 2021 is a few days past, Wendy Nather, head of advisory CISOs at Cisco, still sees many "dark" things on the infosec landscape.
In a keynote session at the SecTor security conference on November 4, Nather outlined various potential concerns facing IT security professionals now and likely for years into the future. The infosec concerns for Nather have in no small part been accelerated by the pandemic, as employees were predominantly working remotely from home.
“We had a surprise visit to zero trust land,” Nather said. “Now, if you’re still not really sure what zero trust means, it’s okay. But, I’m here to tell you that nobody likes that term.”
Zero trust is a concept that has become increasingly used in recent years. Nather said that when the pandemic first hit hard in early 2020, organizations told employees to use whatever they had at home. That ended up with a lot of organizations running out of VPN licenses.
“So we had a lot more BYOD (bring your own device), which is something that zero trust is really good at handling,” Nather said.
Another difficult challenge that has emerged due to the pandemic is making effective use of biometric multi-factor authentication technology, including fingerprint and face recognition technology. In multi-user environments like a hospital, it was no longer considered safe for many users to tap a biometric scanning device with their finger, as there was a fear of contact contamination.
“Who knew that face ID would stop working because everybody was wearing masks,” Nather said. “All these sorts of things we had to figure out and scramble and figure out what factors we could still use that would do the authentication that we needed to build a good zero trust environment.”
The Internet is "Dark and Full of Terrors"
Another source of concern for many IT security professionals is the network itself that Nather remarked is “dark and full of terrors.”
The dark part is that the network increasingly lacks visibility as the volume of encrypted internet traffic continues to increase. She noted that while encrypted traffic can be a good thing for privacy, it also means that IT security professionals can’t see everything all the time, as they once could.
Nather said that organizations couldn’t see security events and details needed to make risk decisions for endpoints, applications and connections without being in line with the communication path.
“What you’re left with is looking at the endpoint and the application more closely. You’re going to have to get more indicators for those two spots because you can’t get them from the middle anymore,” Nather said. “So, is this a problem? Yeah, it is.”
Nather noted that the security industry is starting to work through the issue now with a series of different nascent approaches. One such approach is the continuous access evaluation protocol (CAEP).
“This is something that will help after the session initiation and continuing through the life of the session to decide if something is going on that you need to take action on,” Nather said.
Nather warned that there could be a future when IT security professionals have less visibility than ever before. She added that there would be fewer entities that actually have direct control over the network that organizations are using, and enterprises will have to move security controls into new domains and try different frameworks to compensate.
“I don’t want to frighten you completely; it’s not happening just yet, but brace yourself for this brave new world,” Nather said. “I don’t want to leave you completely scared, so I’m just going to say, you know, it’s going to be okay. It’s okay. This is all right. We can figure this out.”