CIOs and CTOs are hitting the ground running when it comes to IT priorities for 2021. For these priorities to be successful, however, security cannot be put on the back burner.
A recent IEEE survey of CIOs and CTOs from across the globe found AI, IoT, 5G and the cloud are expected to be major growth areas this year, along with a narrowed focus on COVID-19 pandemic response and the future of the workplace.
As organizations adopt these 2021 IT priorities, security teams need to be in the know to ensure adoption, deployment and management are done securely. Each IT priority has its own set of security requirements and introduces challenges that must be addressed by infosec teams.
For insights into the effects of these technologies, we turned to the experts. Here, IEEE members offer tips and best practices to ensure security amid priority adoption, as well as advice on how to best handle the future of infosec during pandemic changes.
Nearly a third of survey respondents said AI and machine learning would be prominent in their organization in 2021. Karen Panetta, IEEE fellow and dean of graduate engineering education at Tufts University, explained why security teams must not only secure AI usage among other parts of the organization, but also embrace the technology in their own processes.
Most survey respondents agreed that AI is a game changer. This affirms that companies need to start seriously considering using the technology to remain both competitive and secure. While recognized for its ability to help companies better understand the needs of their customers and improve marketing strategies, AI is now essential to understand supply chains and ensure the efficiency of internal operations. One of AI’s most interesting applications is to provide security for operations infrastructure and data by identifying patterns of anomalies that may be indicative of malicious behavior to help trigger security alerts. However, criminals and hackers are moving even faster and using AI to figure out how to best infiltrate corporations.
AI’s challenges include training the numerous deep learning algorithms that implement AI, the lack of labeled data for training and testing and, most importantly, issues with explainability of what AI does and why. Organizations must have experts on hand who understand internal processes and data before they can use AI effectively. Furthermore, AI can observe phenomena in data that humans have difficulty comprehending. Therefore, humans cannot place 100% trust in the results and recommendations, especially for life-critical applications.
The potential for cyber attacks to cause physical harm to people and damage to equipment is one of the greatest concerns. Examples include disrupting the power grid or supply chains or internal attacks on the plethora of IoT devices used within companies.
The best approach to prevent these attacks is to develop specific constrained end goals for cybersecurity rather than expecting AI to be the silver bullet that will solve it all.
IoT deployments have been growing for years, and that won’t stop in 2021 — 42% of survey respondents said they will speed IoT adoption in the coming months. IoT is no stranger to security challenges, but as Shawn Chandler, IEEE senior member and CTO at GridCure, explained, security teams must be prepared for both external and internal threats that may compromise IoT security, as well as how to properly design IoT systems in the first place.
Since the pandemic started, the number of external threats to utility infrastructure worldwide has significantly increased, more than 500% year to year, according to NetScout. However, not all threats are externally sourced. Internal bad actors and external phishing attacks, which rely on error through deception, are major challenges to IoT systems because interconnected infrastructure presents multiple points of failure.
In a poorly designed IoT system, any one resource is only as secure as the weakest participant — be it sensor, telecommunication link, software or hardware. These large-system challenges require meaningful due diligence and global standards. Industry organizations are seeking and have sought to address potential shortfalls in advance and set forth mechanisms to ensure end-to-end security is not only available, but achieved. Organizations should work to address these needs, while also addressing device and user privacy, information classification and other internal challenges, such as secure code design, password security and two-factor authentication.
Twenty percent of survey respondents cited 5G as a top priority in 2021. As David Witkowski, IEEE senior member and CEO of Oku Solutions LLC, explained, the technology shouldn’t be feared security-wise. 4G and 5G are inherently secure due to the encryption implemented between the network core and the SIM. Witkowski further explained that security teams should be aware of 5G features that could improve the security posture of their organizations.
It’s not that 5G creates security challenges; it’s more accurate to say that the performance improvements and new features in 5G could potentially enable new or exacerbate existing security challenges. For example, 5G evolves the cellular data network to support IoT devices on cellular networks. Enabling proliferation of IoT devices over WANs, however, could create security challenges in those devices because every deployed IoT device is a potential hacking target.
5G networks can also virtualize network and data functions and move them from the core to the edge. Because 3G and 4G cores are implemented in data centers, attackers must penetrate many layers of physical or network security before reaching the hardware. The physical locations for 5G edge computing may not be so secure — imagine a roadside or remote office cabinet containing an edge node and replicating all data back into the core and out to other edge nodes. Each edge node cabinet becomes a potential attack surface.
Client device security and lifecycle management are major issues. Security teams need to implement ways to exclude 5G-connected devices from internal networks if the manufacturer fails to patch zero-day vulnerabilities, exits the market or is acquired by a company that’s not planning to maintain the product’s security. Security teams also need to look at physical security for edge nodes and should consider any data replicated from edge nodes suspicious until scanned and verified.
Cloud computing security
Cloud computing has been in use for the better part of the millennium, but 55% of those surveyed told IEEE their organization’s cloud adoption would accelerate in 2021, largely driven by the effects of the COVID-19 pandemic. Securing the cloud takes a multipronged approach, as Carmen Fontana, IEEE member and cloud and emerging technology lead at Centric Consulting, described.
When executed mindfully, the cloud can provide a secure environment for organizations. Public cloud providers do an excellent job with the securing “of” the cloud, but it is up to organizations to manage security “in” the cloud.
That is where a mindful security architecture and strategy comes in, including ensuring core cloud architecture adheres to best practices. All major public cloud providers have established framework models to use. Another important upfront activity is establishing identity and access management processes and tooling to manage users’ roles and privileges. Multifactor authentication (MFA) is a best practice here.
Cloud security goes beyond just IaaS, however. Cloud transformations often include PaaS and SaaS components, and securing those assets adds complexity. For instance, specialized web application firewalls may be required. Software development lifecycle and DevOps processes and practices should also be assessed and secured.
With all that in mind, the trickiest part is often striking the right balance between secure and accessible. Controls need to be put in place to keep your company’s assets secure, but they should not put an excess burden on your users. Doing so will, at a minimum, create frustration or, at worst, encourage bad behaviors. For example, why require overly complex passwords when a clever MFA strategy, such as biometrics, can provide the same security level without the hassle?
2020 was the year no one could have predicted. IT and security teams had to quickly adapt to shutdowns that brought remote workforce security issues, COVID-19-related phishing campaigns, ransomware attacks on schools and hospitals, and more. Now, as enterprises begin 2021, there are three more pandemic response challenges to potentially contend with: securing a hybrid remote and office work structure; securely reopening offices and facilities; and adapting to a permanent remote working environment. Kayne McGladrey, IEEE senior member and security architect and governance, risk and compliance practice lead at Ascent Solutions, outlined the most significant challenges each scenario presents and how security teams should prepare for them now to thwart potential security issues.
Hybrid remote and office work structure
The most significant challenge in this new era will be determining how to secure the corporate data stored on devices that physically move between a remote environment and an office environment. While employees taking company laptops home in the evening is not new, the pandemic caused an increase in employees using personal devices to process and store corporate data. Hard drive encryption might seem like an easy fix, but it is untenable if employees are using their own devices to deploy a corporate-managed encryption scheme on the device to mitigate the risks of a stolen laptop.
Companies need to take a nuanced approach to identify appropriate uses of corporate data, regardless of the location of the data — for example, allowing printing of documents to a corporate printer in a secured area but not to a personal printer. These policy approaches must be backed by automated technical controls to limit the amount of manual oversight that would otherwise encumber a security team.
Reopening offices and facilities securely
Reopening is an opportune time to review access lists for physically controlled spaces inside corporate facilities. Particular attention should be given to switch closets, physical internet access points and server rooms for companies with on-premises servers. An employee who previously had access to a secured space but will not be returning to the office should have that access revoked, particularly if the employee relocated to work remotely full time.
Securing a permanent remote workforce
Companies should look beyond the marketing hype associated with the zero-trust model and begin to develop a roadmap to update their architecture to eventually support zero trust. Those companies that chose to backhaul all corporate traffic via an always-on VPN in 2020 saw the costs of licensing and connectivity associated with inspecting all or most of their internet traffic. This is untenable and perpetuates the older security model of castles and moats. Companies should strongly consider whether having on-premises infrastructure is a competitive advantage and, if it is not, accelerate their secure move to the cloud to reduce costs associated with licensing, training, electricity and facilities rental. However, this assumes being able to identify devices and individuals and the ability to control the transmission and storage of data under a zero-trust architecture.