We are on a path that will see information security transformed in the next 5-10 years. There are five trends that will enable us as an industry to improve the overall security posture and reduce the surface attack space. There is evidence that we are already moving in that direction with a push for built-in security, but we must be mindful to ensure management scales.
This blog will identify the five trends, discuss the evidence of change, provide examples of architectural patterns that scale, and share a possible future state.
Five information security trends
- Strong Encryption
- Ubiquitous Encryption
- Transport Protocol Stack Evolution
- Data-Centric Security Models
- User Control of Data
Motivation for changes in information security
The trends in play offer an opportunity to pivot in order to reduce the resource demands of current security solutions and architectures. The ability to deploy and scale information security is becoming critical. The motivations for a substantial change include:
- Threat actors are increasingly sophisticated, often motivated by cultural norms and identity.
- Every layer of the IP stack, including the physical hardware, is or has undergone significant change in the past few years.
- Encryption is driving security to the endpoint, where hardened systems and detection capabilities aligned to measured risk is increasingly important.
Evidence of information security changes
The industry embraced common practices (the trends mentioned above) and those efforts are already making improvements to the overall cybersecurity landscape:
- Applications are decoupled from operating systems.
- Operating systems are increasingly minimized, reducing the surface attack space.
- DevOps is pushing us towards reuse of small modules, with DevSecOps baking security in at a granular level.
- This decoupling of the OS, application, and move to micro-services enables faster remediation as the impact to adjoining applications and services is reduced.
- Attestation from a root of trust (RoT) is in use to provide hardware and firmware assurance, and will increasingly be applied up the stack to containers, operating systems, and so forth ensuring code and system are as expected.
- Zero Trust (see NIST SP 800-207) is becoming pervasive, applied at a per module or component basis, where security is built-in. A follow-up blog will discuss the relationship between Zero Trust and the Lockheed Kill Chain with evidence of reduced dwell time for attackers.
Architectural patterns that scale
In the midst of change, we as an industry have the opportunity to direct the progression in a way that reduces the burden on resources in shifting towards architectural deployment and management patterns that scale. With this focus, we should be looking for opportunities to use a small number of experts that result in a large impact where possible as we move to the endpoint. It’s a unique opportunity and here are some examples:
- Manufacturer Usage Description (MUD) [RFC 8520] enables the manufacturer to set expected behaviour patterns for IoT devices. These can be updated by the small set of experts at the manufacturer and pushed out to all devices of that type and version as needed.
- Remote attestation at boot and runtime of firmware. Technical controls are established by a small set of experts at the vendor aligned to NIST SP 800-193 to provide firmware assurance, and in some cases the Trusted Computing Groups (TCG) Reference Integrity Manifest Information Model and validated using attestation from a RoT on every system.
- CIS Benchmarks and CIS Controls are managed by a team of experts and broadly applied across systems and applications. CIS Benchmarks and trusted CIS Controls can be used to prioritize remediation based on informed risk levels as an important step you can take now in this transition to the endpoint.
The future of security and defence
The path and conclusions for this blog were reached by reading through all the standards published over four years as an IETF Security Area Director, gathering information on the ‘Effect of Pervasive Encryption on Operators’ as documented in RFC 8404, and analysis on industry direction and trends.
This blog begins a series that will dive deeper, aligned to the goal of motivating adoption of architectural patterns that scale as discussed in Transforming Information Security: Optimizing Five Concurrent Trends to Reduce Resource Drain.
Kathleen Moriarty is Chief Technology Officer at Center for Internet Security and former IETF Security Area Director. She has more than two decades of experience working on ecosystems, standards, and strategy.
This post was first published on the Center for Internet Security Blog.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.