Well, first and foremost to everybody out there, have a
wonderful Thanksgiving! May you enjoy
the holiday with family friends. Even
despite what the year has brought us, there is still a lot to be grateful for,
especially that we, the United States, have survived yet another year of the
COVID19 pandemic.
As for me, being a day off, I was bored so I thought I would
write an article anyway. Except for all
of the technojargon that has come and gone as well as all of the vendors, there
is a newer trend that is happening in out world today: The mushrooming of frameworks, policies,
templates, etc. by the Federal Government, brought on especially by NIST.
One of the main catalysts for this has been the CMMC, which
is a mandate that all contractors/subcontractors in the Defense Industrial Base
have to achieve some sort of certification by the DoD before they will be
allowed to bit on future contracts or even to continue on existing contracts.
There also have been other things that have come out to help
businesses establish the right balance of controls for data privacy compliance,
etc.
But the problem is, as we all know is that by the time the
Federal Government has established new guidelines for Cybersecurity, the threat
landscape has changed and as a result, these policies need to be updated
again. Very often, the Federal
Government is blamed for this, for being too far behind on the curve in keeping
up with what is happening out there.
It’s like Biden’s recent Cybersecurity Executive Order. It’s great that has been signed, but how long
will it take before it really has an impact?
My best guess at this point would be probably a few years, at the very
least.
So, what can the Federal Government do to make sure that
whatever new frameworks, policies, etc. that they come up with will still have
some bearing for the future?
The key is to look what the trends are now, and see which
ones will still carry out at least for the next few years down the road. It is also very important to keep in mind
that the emergence of the near 99% Remote Workforce has also played a huge part
in dictating this picture, and this will also have to be kept in mind as
well.
So, what should the areas of emphasis be when creating these
new pieces of documentation? Here is a
sampling:
1)
The Cloud:
Although Corporate America started
to realize the benefits long before COVID19 hit, it is the pandemic which has
fueled this growth to a much more permanent level. For example, many businesses are now migrating their On Prem
Infrastructures entirely into a Private Cloud(s) platform such as that of the
AWS or Microsoft Azure. Although in
theory the same controls should still take effect, there could be some
differences. The adoption of the Cloud
is only going to grow into the future, as the thought of the “Metaverse” is now
starting to get embraced by companies as well.
This is where avatars are used 100% to represent ourselves in the real
world. Also, data privacy is a whole new
ball game here as well, as leakages are more prevalent in the Cloud than ever
before.
2)
Address the issue of Endpoint Security:
Before the near 99% Remote
Workforce took hold, many companies simply relied upon the traditional VPN in
order to secure the lines of network communications from the point of
origination to the point of destination, and vice versa. But with everybody WFH now, the VPNs have
reached their breaking points, and the thoughts of protecting these Endpoints
have been a forgotten about issue.
Because of both of these factors, the Cyberattacker now has a new ways
of getting in, and staying in for much longer periods of time, going
unnoticed. As a result, organizations in
Corporate America have started to realize this and have started to do something
about it, albeit too late, IMHO. Therefore,
any new frameworks or guidelines that come out by the Federal Government have
to address these two issues, and even provide checklists to make sure that not
only is newer technology being used to keep up with the sheer implosion of
people WFH, but that the right tools are also in place to help fortify these
Endpoints, as they will only grow more into the future as well.
3)
Wireless Access:
Even more so than the VPN, this
kind of access will proliferate into the future as well, probably even more so
than anything else. Once again, it is
COVID-19 that has really brought this on.
For example, when everybody was in the office, this was barely an
issue. But once again, with everybody
WFH, the meshing of the home and corporate networks became a problem. For example, many remote workers still continue
to use their home networks in order to access the corporate networks. While this may be secure in one sense, how on
earth do the IT Security teams apply software patches/upgrades to the wireless
devices without first getting access to the home network? Nobody will allow this to happen, because of
the privacy issues that are involved.
People would much rather sooner quit than giving access to some stranger
they do not even know. Compounding this
problem are when people choose to work in public venues, so as the local
Starbuck’s, and choose to totally ignore all of the employer’s security
policies.
My Take On This
Well, there you have it, some of the top Cyber issues that
the Federal Government has to take into consideration when creating their new frameworks
and guidelines. But the reality is that
it will literally take forever for the government to respond to this, as
mentioned before. So what is one to do?
Well, just make sure that you are keeping snuff as to what is happening now.
In terms of compliance, this means keeping up with the
tenets of the GDPR and the CCPA so that you do not get fined or audited. But more than anything else, whatever good
security practices you have on hand right now, make sure you keep up with that,
and more!!!
No comments:
Post a Comment