Is There Such a Thing as Simple and Robust Cybersecurity?
Is there such a thing as simple and robust cybersecurity? Do we face an inevitable choice between simplicity and robustness? If we want one, do we automatically lose the other?
The answer, like so many others in IT, is, “it depends.” While cybersecurity is seldom simple, there are ways to be robust while simplifying its practice. Focusing on protecting only the most important digital assets from the most likely and severe attacks is one proven way to keep things simple while maintaining a strong security posture. Another way is to manage access, especially privileged access, to key systems.
Making Things So Complicated
Can cybersecurity ever be simple? At a glance, one might think “no.” How simple can a matter be when cybersecurity is a $120 billion business (expected to reach $1 trillion by 2021) involving nearly every corporation and government entity, every technology company and half the people on the planet earth? How basic can security be when it requires focusing on software, hardware, firmware, networks, users, administrators, policies, laws, and foreign cyber armies?
Cybersecurity is a $120-billion-dollar business.
Yes, cybersecurity is a big, challenging field. Yet, we tend to make life needlessly difficult for ourselves. As the classic song might ask, “Why do you have to go and make things so complicated?” Perhaps we like things to be complicated. Or, more realistically, we may have trouble differentiating between what’s necessary and what’s not.
Excessive security rules are a symptom of our tendency to make things overly complex. An article in Harvard Business Review notes, “One of the big reasons security rules often don’t work is because they are so complex they drive people to take shortcuts that defeat their purpose. For example, password policies are so complicated and inconvenient that most employees just ignore them.”
The KPMG report “Cybersecurity: it’s not just about technology” offers a thought-provoking take on how organizations make cybersecurity unnecessarily difficult. As shown in the table excerpt, the report compares how a jeweler might prevent theft from a store with how many corporations approach cybersecurity.
| Jeweler’s perspective on theft security | Corporate perspective on cybersecurity |
| I know which assets to protect and have set up appropriate measures | I take measures without having a clear idea of the assets it is essential to protect. |
| I perceive theft as a risk in the business and know that realistically I can’t be in business if I want 100% security | I see cybercrime as something exotic and strive to achieve 100% security. |
| I focus on measures that prevent a person from leaving with valuable goods. | I focus on measures that prevent a person from entering and forget to take measures that prevent a person from taking away information. |
| I do not let security suppliers get spooked and I make my own purchasing decisions. | My security policy depends on the tools available in the marketplace, without knowing exactly what I need. |
| When it goes wrong or almost goes wrong, I learn a lesson. | When it goes wrong or almost wrong, I panic. |
| I train employees in how to reduce the risk of theft and talk to them when they make mistakes. | I view cybersecurity as mainly a matter for specialist professionals and don’t want to burden the rest of the organization with it. |
| I invest in tools because they assist the continuity of my business. | I invest in tools because it is mandatory and because the media reports on incidents every day. |
Table 1 – Comparison between a jeweler’s approach to theft prevention and that of corporate cybersecurity (Source: KPMG “Cybersecurity: it’s not just about technology” 2016)
Of course, a good security team won’t make all of these boneheaded moves. The comparison is still helpful because it highlights how cybersecurity policies can often be overly abstract or not clearly thought through in terms of actual risk mitigation. Making cybersecurity simple but robust requires a sharp focus on what really needs to be protected. It means weighing which threats are the most serious and the most probable.
The Power of “er”
Cybersecurity will never be simple. Yet, in the quest to simplify cybersecurity, there is power in the concept of “er,” as in simplER, cheapER, or fastER. Cybersecurity can definitely be made simpler once the priorities and threats are well understood. Then, it becomes possible to define security policies that are narrow and strong enough to achieve a robust cyber defense without wasting effort. Policy implementation need not be complex, either.
Cybersecurity will never be simple, but it can be simpler, cheaper, and faster.
Using the KPMG example, what could be done to avoid the problem of, “I focus on measures that prevent a person from entering and forget to take measures that prevent a person from taking away information”? If you were to try to prevent all users from taking any information away from a system, that would lead to a heavy-weight set of controls that would likely be difficult to maintain.
Instead, if you determined which information needed strong protections and established clear access rules, you will have made things simpler. The challenge at that point is to be able to modify the policy definitions easily and enforce them without overtaxing your team. That’s a matter of tooling.
How Privileged Access Management Simplifies Cybersecurity
Privileged Access Management (PAM) offers security teams a way to make cybersecurity simpler. A privileged user is one with administrative rights. He or she can access the back ends of critical systems, modifying user accounts and system settings. A privileged user can also often override security controls and even delete data. As a result, privileged users can present a security risk (either accidental or deliberate) unless their access is well managed.
PAM provides security teams with the tools they need to streamline and simplify cybersecurity.
A PAM solution defines and enforces security policies flexibly and simply. In the case of “I forget to take measures that prevent a person from taking away information,” PAM can establish which privileged users have the right to make a data asset accessible or not. With PAM, a single policy and enforcement tool determines how users can or cannot take information away from systems. Without a PAM solution, it would be necessary to set up and modify such access rights manually—a condition that inevitably leads to errors, or at the very least, excessive workloads and complexity.
Simplifying Cybersecurity with WALLIX
The WALLIX PAM solution governs access to privileged accounts by creating a single point of privileged access management policy definition and enforcement. Privileged users request administrative rights to a system through the Access Manager, which “knows” what systems the user can access and at what level of privilege. For WALLIX, a privileged user could be an employee, a contractor, an outside vendor, or even a machine. By centralizing control over administrative access, WALLIX contributes to simple but robust cybersecurity.
PAM controls and monitors the access and actions of privileged users.
WALLIX also records privileged account sessions with the Session Manager. It can send an alert if a privileged user is doing something suspicious, such as accessing a server from an unknown external location. This capability streamlines the audit and incident response processes. Without this kind of real-time privileged access session monitoring, cybersecurity teams have a harder time answering the important “who did what, to which system, at what time?” questions that invariably arise when there is a security incident. Security processes grow more complex and time-consuming. Conversely, WALLIX simplifies the audit and incident response workloads.
So where do we go from here?
It is possible to make cybersecurity simpler, if not simple. Many factors can help simplify cybersecurity. Prioritization of asset protection is one. Managing privileged access is another. By controlling and monitoring which users can access administrative back ends of critical systems, PAM streamlines the creation and implementation of policies that simplify cybersecurity.
Want to learn more about PAM and cybersecurity? Contact us.
