The very definition of information technology is being rewritten as the rate of change accelerates in the industry. Software-Defined Networking (SDN) and virtualization are just two examples of data center technologies that are shifting traditional notions of IT infrastructure. Once clear-cut and under the sole purview of the IT department, today's infrastructure is more fluid and less visible.
This shift coincides with a veritable Big Bang of interconnectedness: the Internet of Everything. From tablets and mobile devices to smart home appliances and sensors, 10 billion devices are currently connected: a number that will grow to 50 billion in the next six years. These devices are responsible for consumer-driven activities like entertainment and health monitoring, as well as services that support our socio-economic foundations, like energy and agriculture.
In terms of security, this brave new world means many more opportunities for attack. Whereas at one time IT was tasked with securing a smaller and well-defined landscape, we now have the mission of protecting any device against the increasingly malicious attacks of hackers. Traditional security tactics, for the most part, will not fit the bill. In short, we need to rethink what cyber security means.
Strategies for a new security landscape
The aspects I just quickly described may sound overwhelming, but I remain optimistic that methods exist to contain damage to assets, processes, and people that make use of information technology. Ironically, what is old is new again for some of this, and then there are just plain new ways to approach the issue. Of the many methods being discussed in the industry, I'd like to talk about three in particular.
First, master the basics. This includes taking a diligent approach to software patching, user identity management, network management and eliminating any dark space in your infrastructure. The main objectives in this endeavor include reducing attack surfaces available to adversaries and basing resource access policies on need-to-know/need-to-use principles. Even just getting better at patching can reduce available attack surface by as much as 70 percent. Organizations that perform thorough asset inventories are often surprised by how many previously undocumented systems they discover connected to their networks.
This do-the-basics strategy might sound commonplace, but it can be quite demanding when one takes into account the diversity and sheer numbers of devices and systems that today's IT operations must secure. A sophisticated identity management program that brings together the latest strong password, federated identity, privilege management and anomalous behavior detection technologies would not have been possible a few short years ago, but it can go far in improving the ability of security teams to prevent, see and contain security incidents.