The horrific news of the attacks in Belgium last week have resulted in predictable calls for increased security by pushing the perimeter back to the airport door. Security-weary air travelers may now be looking forward to outdoor queues to gain access to terminals, in addition to screening already in place.
This pattern of reaction is typical for air travel. We must remove an ever-increasing amount of clothing to get through security screening. We x-ray people now, not just luggage. We can no longer transport normal-sized tubes of toothpaste or hairspray. All thanks to creative attackers who are constantly scheming to find new ways to hide explosives in shoes, underwear or water bottles.
It’s been said that the military is always preparing to fight the last war. Are we doing the same in IT security? Are we doomed to always react to the threat?
A shift towards identity governance and administration
With the Pre-Check Program, the US Transportation Security Administration (TSA) has already started using identity as a means of filtering threats, or rather reducing the resources focused on low-risk travelers. This is one example of using identity and a risk-based approach to focus resources more proactively.
Identity and access management (IAM) has long been a supporting technology to help IT become more efficient at provisioning access and providing a better user experience. The last four or five years has seen IAM evolve into identity governance and administration (IGA), with a focus on reducing unnecessary access through role management, entitlement discovery and access certification programs. This reduces the vulnerability footprint as a proactive risk-reduction measure.
But there is more that IAM can contribute.
Security needs context
While aviation security can use the force of government to mandate the continued outward push of the perimeter, business is feeling the opposite pressure with IT services becoming a competitive weapon for digital businesses. There is a push for more openness even with employees, evidenced by the analyst firm Gartner’s recommendation to use unrestricted access by default and only place access controls on sensitive data.
So what can a security team do to maintain some sense of control?
Using another aviation analogy, the national airline of Israel, El Al, is widely considered to be the most secure in the world. While they have experienced attacks at their ticket counters (the perimeter), they haven’t had an onboard incident since 1970. They attribute this partly to using interviews to filter out the highest-risk passengers for the most scrutiny.
In IT security, analytics is a promising new technology that attempts to do something similar. By understanding normal patterns of behavior, associated with specific identities, abnormal behavior can then be recognized. It is this identity context that security needs most to proactively identify threats as they pass through the now-defunct perimeter.
Eliminate threats at their source
Government has a role to play as well. Last week, the US Department of Justice indicted seven hackers associated with the Iranian government on charges of conducting DDoS attacks against 46 U.S. banks between 2011 and 2013, as well as an attack against a dam in New York state.
These indictments demonstrate a willingness to call out foreign governments for their role in cyber attacks, but it remains to be seen how aggressive the pursuit of justice will be. But raising the cost of cybercrime is a role uniquely suited to governments worldwide. Those governments that overtly sponsor or tacitly overlook the hackers within their borders need to begin paying a price if there is any hope of reigning in the growth in cyber crime.
As an industry that often blames the victims, have we lost sight of the need for pursuing the perpetrators of cyber crime? A more proactive approach would be to deter such crimes with more aggressive enforcement. The role of defense is always made easier with a good offense.